« Idea for a Fondue Party | Main | Identifying Opportunities for Improvement in Security Architecture »


Andrew Yeomans

While checking the RSA booths, another fun thing to count is how many booths are fixing some other product's security problem, compared with directly providing security value of their own.

Maarten Hazewinkel

I think there's a bit more to it than just the background experience of security people:
For one, walling off your garden is a much simpler concept to explain to management than making your garden intruder resistant.
For another, network security equipment can be booked as a capital expense, while developer time is an operational expense, and capital expenditures have accounting and tax benefits you don't get for operational expenditures.


I think these days most infrastructure devices include some sort of application security layer too, which makes the budgeting exercise a bit more difficult. For example, Snort IDS ( and commercial IDS) are capable of looking at web application attacks to some extent. Also, Cisco security devices have inbuilt application layer security built into them, which is somewhat limited, but nevertheless, I think with Threat Management Gateways gaining more hold in enterprises, the line between infra and app sec is becoming thinner.

Just my thoughts.

The comments to this entry are closed.