I did a podcast with Gary McGraw which is available here. Gary's questions were great, I could have written a ten page whitepaper in response to most of them, but tried to sum up my thoughts on "what is security", and how you might approach security in SOA, Web 2.0, and federation spaces. Gary is always interesting to talk to since he has done a major percentage of the valuable work in security.
One point I raised in the podcast is that I see a common misconception in the industry which I sum up as the "what got you here won't get you there" problem. We have had a long hard slog getting support for software security, and now, thanks to Gary's and others' work, its finally starting to take root. It is taking root especially in financial services. One thing I see though is that vendors commonly make a big sale or three in a financial services player, then they go to an insurance company, a manufacturer, or other large player and say "hey do what Ginormous globobank is doing." Problem is - their business models are different, their IT is different, and so on. We have done a decent job bootstrapping some security practices in financial services, but we need other models for other verticals.
Hi Gunnar,
Great interview. And Gary has the rare skill as a podcast interviewer to make it great. I already made my comments on your silverbullet podcast page, but your comments in this blog post takes me back to my comments on Adam Shostack's previous silverbullet podcast:
"I wonder why as a community that we aren’t talking more about application classification. I have seen only this paper:
The Importance of Application Classification in Secure Application Development
http://www.webappsec.org/projects/articles/041607.shtml
"
I do lifecycle reviews and pentests/audits/assessments for different "verticals" as you call them - financials, government, telecoms, etc - and certainly they are approached differently.
I just wonder why there's not more focus on this. Am I missing something?
Stephen
Posted by: Stephen Craig Evans | June 21, 2008 at 02:02 PM