Liminal states

The last time I was at the RSA conference/expo in 2004, Bill Gates talked about PREfix and PREfast in his keynote — he even went off and started talking about Microsoft’s acquisition of PREfix! Hard to top that … but it’s a great place for shoozing and to get a feel for the market, so I spent a couple of days hanging out there last week. Unsurprisingly, I was largely thinking about strategies related to static analysis products and technologies, and I’ll cover those in my next post. First, though, I wanted to share my more general impressions.

The conference/expo combo keeps getting bigger and bigger — 17,000 people this year — and the technical sessions keep getting stronger and stronger, with multiple interesting tracks. Unfortunately it also keeps getting pricier, now over $2000 for a full conference admission; so I plunked down the $100 for an “Expo-only” admission (which used to be free … sigh). The Expo filled the south side of Moscone Center in SF, with the usual mix of big displays from well-known names like Symantec, Microsoft, CA, IBM, the NSA … and smaller booths on the sides, which is often where the more interesting things are going on.

There wasn’t a lot of buzz at the expo – in fact, the most frequent comment I heard from people is “it feels like there’s something missing” – but three products especially caught my eye:

• splunk, “the IT search company”. It’s not a glamorous problem but today it’s often extraordinarily difficult to being able to find the right information from the huge amounts of IT data. splunk’s fast indexing, easy and flexible query-building UI, and interesting visualization (in Flash!) seemed to me like it can really help.
• Secerno‘s “security brain for your database” stops SQL injection attacks by parsing and analyzing SQL code and using machine learning technologies. Yeah, it sounds too good to be true; but I spent a while talking with their CTO and came away thinking that it might actually work. At the very least, it’s something where early adopters can potentially get a lot of benefit until the attackers catch up and start crafting specific attacks.
• Affinion wasn’t even in the main expo hall, but their BreachShield service (“after a data breach, your first move is critical”) was the only offering I saw which focused on corporations helping consumers — or employees — after a data breach occurs

There were “CVE spoken here” and “CWE spoken here” signs up at a lot of booths, and I wound up spending a chunk of time talking to Robert Martin and David Mann from Mitre about the state of things — and what’s next. One of the most exciting things I heard was that they’re working with sociologists to understand CVE’s success so far, and bringing in perspectives from communication theory — for example, the ability of a CVE id to function as a semanticless label makes it useful in a bunch of situations where a more detailed and structured definition would be impractical. Very intriguing …

In terms of the rest of the show, there was a lot of focus on compliance and “risk management” — which, when I talked with people in more detail, often seemed to be about managing the risk to your company if a breach happens by showing that you’ve taken reasonable precautions and followed your procedures … in other words, compliance: SOX, PCI, a zillion other acronyms. While I realize that this is extremely important, it’s hard for me to get excited about it. It seems to me that in many cases the money being spent here is primarily reducing the risk to corporations of being hit by big fines or lawsuits. I’d much rather see it going primarily to increasing security, or to providing benefit to end users and consumers. I constantly found myself asking, “would these solutions have prevented the TJX data breach? or MySpace’s allowing access to ‘private’ photos for months?” Hard to know …

As with the other stops on the security “conference circuit”, a lot of the best discussions happened off the show floor, running into people in the halls or at the innumerable parties and other social events going on. Good networking at the bookstore, including a great chance to spend a few minutes talking with Pulitzer-prize winning Eric Lichtblau (who also gave a keynote) about his new book Bush’s Law — and Adam Shostack, whose The New School sold out by Thursday afternoon (“always leave ’em wanting more”). Alas I couldn’t stay for the last day, with the Hugh Thompson Show and a keynote by Al Gore (!); probably just as well, because I was all conferenced out.

A couple of things that really struck me. On the positive side, the computer science as a social science meme continues to percolate; it’s really striking to see how much things have changed just in the four years since I was last at RSA. Less positively, though, this transition is only partial, and in particular there’s very little mention of the people involved — except, of course, as potential threats who need to be monitored (Dan Geer’s new book suggests a panopticon: “to prove something didn’t happen you must have every place where it could happen under surveillance”), or imperfect users who make mistakes that “compromise the integrity of the system” and so must not be allowed any control.

So after thinking about it over the weekend, I’ve got a possible answer for the feeling so many attendees had that there’s something largely missing. It’s easy to think of the security problem simply as protecting systems and data. In practice, though, that data’s about people — who may or may not know that it’s even in a company’s database. Shouldn’t the industry be taking an approach that starts with their perspectives?

Continued in Part 2: static analysis