On the Ground at Burton Catalyst 2010

Monday, August 02, 2010

Application Security, Inc.


Article by Tom Bain, Application Security, Inc.

This is not your father’s analyst conference. In fact probably not your grandfather’s either. Strong focus on technology?

Check. Without the other stuff. And it was no surprise that 90% of the attendees held technical positions.

Despite the madness of ComicCon happening simultaneously, Catalyst 2010 (not quite over yet) took a number of technology industry issues and dissected them down to a granular level.

fix_server_room Of note, I attended two 4-hour workshops. One on securing cloud environments and another focused on building security into the software development lifecycle (SDLC).

Ramon Krikken and Kirk Knoernschild put together a formidable model and plenty of backup around building out software that is developed and published with secure code.

As a result of so many organizations NOT developing software that is free of vulnerabilities or exploitable code, they pointed out that technologies like Database Activity Monitoring (DAM) are rising in demand because of the simple fact that once vulnerabilities are discovered or exploited, they can’t be remediated immediately – and for the fact that its very difficult to ‘get it right’ in the SDLC, 100%.

Its no shocker that in an anecdote, the analysts talked about a situation where one of them in their former life as a developer worked for a company that had a system set up with a single user ID/PW connector to the dev/test database.

The developers weren’t granted access to the production db’s, but found out how to access it as someone had outputted that ID/PW to the log files. Otherwise ONE person owned the ID/PW’s to production, and despite the fact that the developers knew how to gain access by just going to the log files, no one raised the issue.

What if there was a rogue developer with an axe to grind?

It all speaks to the sensitive nature of the database itself, and the critical information that resides in there. It brings up the fact that there are often process issues associated with access controls to the database also.

What if that one person with the keys to the kingdom was hit by a bus? Does business cease to exist as a result? Contingency planning anyone?

All in all, fascinating and informative presentation by both analysts, and you can probably find more out about their research by heading to Burton’s site. I’d recommend getting yourself to a Catalyst conference at some point based on the technology knowledge you’ll walk away with.

Part II will address the cloud security workshop which was equally as informative.

Cross posted from Database Security 3.0
Possibly Related Articles:
Enterprise Security
Enterprise Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.