Re: [SC-L] InformIT: budgeting for software security

2008-04-13 Thread Kenneth Van Wyk 


On Apr 13, 2008, at 6:23 AM, Stephen Craig Evans wrote:
Wow, that's a flimsy connect-the-dots if I've ever seen one :-)  We  
could have fun with this but I don't want to stray 100% off-topic  
(if we not there already).


Let's let this thread die away, please folks.  Unless any replies are  
directly tied to the topic of software/application security, they'll  
be dispatched directly to /dev/null.  Thanks!


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator

KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

2008-04-13 Thread Stephen Craig Evans 
Hi Jim,

Wow, that's a flimsy connect-the-dots if I've ever seen one :-)  We could
have fun with this but I don't want to stray 100% off-topic (if we not there
already).

Very coincidentally, I watched South Park Season 10 Episode 6 after my first
post. I rest my case.

I'm sure Al Gore's appearance was a pure Left Coast feel-good kumbaya "we're
doing something to help because we care" type of deal. I hope you don't take
my criticism too serially.

> As Gary pointed out, there is a 1000-1 "Marketer vs attendee" ratio

I guess the bright side is that the female to male ratio was a bit more even
:-)

Cheers,
Stephen

On Sat, Apr 12, 2008 at 3:53 AM, Jim Manico <[EMAIL PROTECTED]> wrote:

>  No, there is not a direct connection but Green and InfoSec do have a few
> degrees of connection.
>
> InfoSec -> Is a part of -> IT -> manages -> Datacenters -> suck up 3% of
> word power -> is becoming more expensive - > Green - > Al Gore
>
> >  RSA conferences *were *focused on infosec, and on cryptography in
> particular
>
> RSA is a Marketing/Fluff event - As Gary pointed out, there is a 1000-1
> "Marketer vs attendee" ratio. Case and point: SANS is teaching there now! :D
>
> - Jim
>
>
>  Jim,
>
> In response to Stephen's question, you wrote...
>
>
>
>  What does 'green technology' have to do with infosec?
>
>
>  Data centerers worldwide use at least 3% of all global electricity. With
> the growing cost of oil/power - most large corporations are looking for
> ways to reduce power consumption at their data centers. Google is
> building new database centers near cheap power, cheap land, and cheap
> water. Sun has "bet the farm" on Green issues. IBM and Intel have
> green/sustainability departments as well.
> http://www.baselinemag.com/c/a/Infrastructure/Disruptive-Forces-Sun-Microsystems/
>
>  Maybe I need someone to connect the dots for me, but IMO, your response
> _still_ doesn't adequately answer Stephen's question.
>
> You addressed why 'green technology' is good in general and why businesses
> are pursuing it, but not what it has to do w/ information security. Certainly,
> if there is a connection here, is is not a direct one.
>
> I don't want to speak for Stephen (but will anyways ;-), but I think it's 
> unfair
> to interpret his remark as implying that green technology is bad or some sort
> of voodoo. In the context, I think his concern was that in the past, the RSA
> conferences were focused on infosec, and on cryptography in particular. 
> Apparently,
> based on Stephen and gem's comments, it seems to have lost its focus. I think
> that's all that was being implied here.
>
> -kevin
> ---
> Kevin W. Wall Qwest Information Technology, [EMAIL PROTECTED] Phone: 
> 614.215.4788
> "The reason you have people breaking into your software all
> over the place is because your software sucks..."
>  -- Former White House cyber-security adviser, Richard Clarke,
> at eWeek Security Summit
>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>
>
>
> --
> Jim Manico, Senior Application Security Engineer
> [EMAIL PROTECTED] | [EMAIL PROTECTED]
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security™
> Securing your applications at the sourcehttp://www.aspectsecurity.com
>
>
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

2008-04-12 Thread Dave Aronson 
Jim Manico wrote:

> Datacenters -> suck up 3% of word power

Oh, that must explain why, as we become more and more dependent on 
companies with data centers, we find ourselves less and less able to 
actually communicate clearly with each other  ;-)

-Dave

-- 
Dave Aronson
"Specialization is for insects." -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

2008-04-12 Thread Jim Manico 
No, there is not a direct connection but Green and InfoSec do have a few 
degrees of connection.


InfoSec -> Is a part of -> IT -> manages -> Datacenters -> suck up 3% of 
word power -> is becoming more expensive - > Green - > Al Gore


>  RSA conferences *were *focused on infosec, and on cryptography in 
particular


RSA is a Marketing/Fluff event - As Gary pointed out, there is a 1000-1 
"Marketer vs attendee" ratio. Case and point: SANS is teaching there now! :D


- Jim


Jim,

In response to Stephen's question, you wrote...

  

What does 'green technology' have to do with infosec?
  
Data centerers worldwide use at least 3% of all global electricity. With 
the growing cost of oil/power - most large corporations are looking for 
ways to reduce power consumption at their data centers. Google is 
building new database centers near cheap power, cheap land, and cheap 
water. Sun has "bet the farm" on Green issues. IBM and Intel have 
green/sustainability departments as well.


http://www.baselinemag.com/c/a/Infrastructure/Disruptive-Forces-Sun-Microsystems/



Maybe I need someone to connect the dots for me, but IMO, your response
_still_ doesn't adequately answer Stephen's question.

You addressed why 'green technology' is good in general and why businesses
are pursuing it, but not what it has to do w/ information security. Certainly,
if there is a connection here, is is not a direct one.

I don't want to speak for Stephen (but will anyways ;-), but I think it's unfair
to interpret his remark as implying that green technology is bad or some sort
of voodoo. In the context, I think his concern was that in the past, the RSA
conferences were focused on infosec, and on cryptography in particular. 
Apparently,
based on Stephen and gem's comments, it seems to have lost its focus. I think
that's all that was being implied here.

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
[EMAIL PROTECTED]   Phone: 614.215.4788
"The reason you have people breaking into your software all 
over the place is because your software sucks..."

 -- Former White House cyber-security adviser, Richard Clarke,
at eWeek Security Summit


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.
  



--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

2008-04-11 Thread Gary McGraw 
Hi all,

Larry has it right.  There was very little technical content at RSA this year.  
All of the vendors on the show floor had pitches that sounded exactly the same. 
 Last year there was much more software security presence.

The good news for our field is that at the (small) executive forum, there was a 
fair amount of discussion of software security.  Justin Peavey from Omgeo put 
together a panel on software security that I helped with.  That was good.

Now attempting to fly home on the united cattle call cart.

Moo

gem

- Original Message -
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
To: SC-L@securecoding.org 
Sent: Fri Apr 11 10:31:13 2008
Subject: Re: [SC-L] InformIT: budgeting for software security

At 8:14 AM -0500 4/11/08, Wall, Kevin wrote:

> In the context, I think his concern was that in the past, the RSA
> conferences were focused on infosec, and on cryptography in particular. 
> Apparently,
> based on Stephen and gem's comments, it seems to have lost its focus. I think
> that's all that was being implied here.

Some years ago at an RSA Conference I recall seeing Jefferson
Starship.  At least one song had altered lyrics for the GAK
issue of the year, but that was not a whole lot of security
content in a general session.
--
Larry Kilgallen
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

2008-04-11 Thread Stephen Craig Evans 
Hi Jim,

I am an infosec newbie but a fierce historian. I have read your previous
posts and I completely respect you.

I cannot agree with your premise that resources are limited on Planet Earth.
There are gobs and gobs of oil to be had within the boundaries of the United
States but the eco-nazis have prevented it, hence creating $3 dollar gallon
of gas and our dependence on very unsavoury characters. The same with
nuclear power (look up a great George Gilder interview on
itconversations.com).

Of course, that's why all the big security vendors and their underlings (the
mainstream press) create all of this hoopla; otherwise, they would be out of
work.

Cheers,
Stephen

P.S. Thanks to the Moderator for letting this through.

On Fri, Apr 11, 2008 at 3:57 AM, Jim Manico <[EMAIL PROTECTED]> wrote:

>  > What does 'green technology' have to do with infosec?
>
> Data centerers worldwide use at least 3% of all global electricity. With
> the growing cost of oil/power - most large corporations are looking for ways
> to reduce power consumption at their data centers. Google is building new
> database centers near cheap power, cheap land, and cheap water. Sun has "bet
> the farm" on Green issues. IBM and Intel have green/sustainability
> departments as well.
>
>
> http://www.baselinemag.com/c/a/Infrastructure/Disruptive-Forces-Sun-Microsystems/
>
> - Jim
>
>
> Hi Gary,
>
> How can any security conference that has Al Gore as a keynote speaker be
> taken seriously? What does 'green technology' have to do with infosec? And
> why is his keynote the only one with the tag "*(Please note that this
> keynote session will not be available via webcast replay.)"? *Now there's
> openness for you  (/sarc). What a joke.
>
> I'm looking forward to your new series of columns; they were getting too
> infrequent on Dark Reading.
>
> Cheers,
> Stephen
>
> On Wed, Apr 9, 2008 at 2:21 PM, Gary McGraw <[EMAIL PROTECTED]> wrote:
>
> > Hi sc-l,
> >
> > Greetings from RSA.  This year the marketing people outnumber the
> > technical people 1000 to 1.  There are over 18,000 people here.  You do the
> > math.
> >
> > I recently moved my monthly security column from darkreading to
> > informIT.  I am refocusing the column on software security and business.
> >
> > My first column just went live:
> > http://www.informit.com/articles/article.aspx?p=1189519
> >
> > It's about a business trick that Phil Venables uses with great
> > success---that is, using TCO to drive security into software.  This shows
> > what you can accomplish with a combination of software insight and business
> > acumen.
> >
> > I'm very much interested in your feedback on my move to informIT as well
> > as the content of this first article.  Let me know what you think.
> >
> > gem
> >
> > www.cigital.com/~gem 
> >
> > ___
> > Secure Coding mailing list (SC-L) SC-L@securecoding.org
> > List information, subscriptions, etc -
> > http://krvw.com/mailman/listinfo/sc-l
> > List charter available at - http://www.securecoding.org/list/charter.php
> > SC-L is hosted and moderated by KRvW Associates, LLC (
> > http://www.KRvW.com)
> > as a free, non-commercial service to the software security community.
> > ___
> >
>
> --
>
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> ___
>
>
>
>
> --
> Jim Manico, Senior Application Security [EMAIL PROTECTED]
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security™
> Securing your applications at the sourcehttp://www.aspectsecurity.com
>
>
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

2008-04-11 Thread ljknews 
At 8:14 AM -0500 4/11/08, Wall, Kevin wrote:

> In the context, I think his concern was that in the past, the RSA
> conferences were focused on infosec, and on cryptography in particular. 
> Apparently,
> based on Stephen and gem's comments, it seems to have lost its focus. I think
> that's all that was being implied here.

Some years ago at an RSA Conference I recall seeing Jefferson
Starship.  At least one song had altered lyrics for the GAK
issue of the year, but that was not a whole lot of security
content in a general session.
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

2008-04-11 Thread Wall, Kevin 
Jim,

In response to Stephen's question, you wrote...

>> What does 'green technology' have to do with infosec?
> 
> Data centerers worldwide use at least 3% of all global electricity. With 
> the growing cost of oil/power - most large corporations are looking for 
> ways to reduce power consumption at their data centers. Google is 
> building new database centers near cheap power, cheap land, and cheap 
> water. Sun has "bet the farm" on Green issues. IBM and Intel have 
> green/sustainability departments as well.
> 
> http://www.baselinemag.com/c/a/Infrastructure/Disruptive-Forces-Sun-Microsystems/

Maybe I need someone to connect the dots for me, but IMO, your response
_still_ doesn't adequately answer Stephen's question.

You addressed why 'green technology' is good in general and why businesses
are pursuing it, but not what it has to do w/ information security. Certainly,
if there is a connection here, is is not a direct one.

I don't want to speak for Stephen (but will anyways ;-), but I think it's unfair
to interpret his remark as implying that green technology is bad or some sort
of voodoo. In the context, I think his concern was that in the past, the RSA
conferences were focused on infosec, and on cryptography in particular. 
Apparently,
based on Stephen and gem's comments, it seems to have lost its focus. I think
that's all that was being implied here.

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
[EMAIL PROTECTED]   Phone: 614.215.4788
"The reason you have people breaking into your software all 
over the place is because your software sucks..."
 -- Former White House cyber-security adviser, Richard Clarke,
at eWeek Security Summit


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

2008-04-11 Thread Jim Manico 

> What does 'green technology' have to do with infosec?

Data centerers worldwide use at least 3% of all global electricity. With 
the growing cost of oil/power - most large corporations are looking for 
ways to reduce power consumption at their data centers. Google is 
building new database centers near cheap power, cheap land, and cheap 
water. Sun has "bet the farm" on Green issues. IBM and Intel have 
green/sustainability departments as well.


http://www.baselinemag.com/c/a/Infrastructure/Disruptive-Forces-Sun-Microsystems/

- Jim


Hi Gary,

How can any security conference that has Al Gore as a keynote speaker 
be taken seriously? What does 'green technology' have to do with 
infosec? And why is his keynote the only one with the tag "/(Please 
note that this keynote session will not be available via webcast 
replay.)"? /Now there's openness for you  (/sarc). What a joke.


I'm looking forward to your new series of columns; they were getting 
too infrequent on Dark Reading.


Cheers,
Stephen

On Wed, Apr 9, 2008 at 2:21 PM, Gary McGraw <[EMAIL PROTECTED] 
> wrote:


Hi sc-l,

Greetings from RSA.  This year the marketing people outnumber the
technical people 1000 to 1.  There are over 18,000 people here.
 You do the math.

I recently moved my monthly security column from darkreading to
informIT.  I am refocusing the column on software security and
business.

My first column just went live:
http://www.informit.com/articles/article.aspx?p=1189519

It's about a business trick that Phil Venables uses with great
success---that is, using TCO to drive security into software.
 This shows what you can accomplish with a combination of software
insight and business acumen.

I'm very much interested in your feedback on my move to informIT
as well as the content of this first article.  Let me know what
you think.

gem

www.cigital.com/~gem 

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org

List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at -
http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
  



--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

2008-04-10 Thread Stephen Craig Evans 
Hi Gary,

How can any security conference that has Al Gore as a keynote speaker be
taken seriously? What does 'green technology' have to do with infosec? And
why is his keynote the only one with the tag "*(Please note that this
keynote session will not be available via webcast replay.)"? *Now there's
openness for you  (/sarc). What a joke.

I'm looking forward to your new series of columns; they were getting too
infrequent on Dark Reading.

Cheers,
Stephen

On Wed, Apr 9, 2008 at 2:21 PM, Gary McGraw <[EMAIL PROTECTED]> wrote:

> Hi sc-l,
>
> Greetings from RSA.  This year the marketing people outnumber the
> technical people 1000 to 1.  There are over 18,000 people here.  You do the
> math.
>
> I recently moved my monthly security column from darkreading to informIT.
>  I am refocusing the column on software security and business.
>
> My first column just went live:
> http://www.informit.com/articles/article.aspx?p=1189519
>
> It's about a business trick that Phil Venables uses with great
> success---that is, using TCO to drive security into software.  This shows
> what you can accomplish with a combination of software insight and business
> acumen.
>
> I'm very much interested in your feedback on my move to informIT as well
> as the content of this first article.  Let me know what you think.
>
> gem
>
> www.cigital.com/~gem 
>
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> ___
>
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] InformIT: budgeting for software security

2008-04-09 Thread Gary McGraw 
Hi sc-l,

Greetings from RSA.  This year the marketing people outnumber the technical 
people 1000 to 1.  There are over 18,000 people here.  You do the math.

I recently moved my monthly security column from darkreading to informIT.  I am 
refocusing the column on software security and business.

My first column just went live: 
http://www.informit.com/articles/article.aspx?p=1189519

It's about a business trick that Phil Venables uses with great success---that 
is, using TCO to drive security into software.  This shows what you can 
accomplish with a combination of software insight and business acumen.

I'm very much interested in your feedback on my move to informIT as well as the 
content of this first article.  Let me know what you think.

gem

www.cigital.com/~gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___