I would have to agree with you about hype and security. I also agree that big vendors make stuff up if it helps them sell product. One of the reasons I wanted to interview Jon was to find out what he thought about hype, wide public coverage, and security engineering. What I like about Jon is his realistic attitude and his reporter’s skepticism.

Fact is, the part of computer security that the general public find exciting is the hacking/exploit part. You can even see this in the sales numbers of my books where the bad guy books outsell the good guy books almost 4:1. I call this the NASCAR effect.

I agree with you that asking software vendors to show you some evidence that their software is secure can be very helpful. We’ve been involved in situations like that a number of times at cigital (where the poor software vendor was scrambling toward software security and needed our help).

BTW, the next victim on Silver Bullet will be Adam Shostack…so we should get a bit more technical!

gem

The interview was interesting (but not nearly as technical and as in depth that I am now expecting but I have a couple of issues in general - not with Mr. Swartz but with his content:

1. Trying to put the onus of software security on developers is so completely asinine (and Jon did not say that - he reported that others had said that). We have to get real. Most developers will never know software security; 70% don’t give a damn; 20% of those that want to know will never get funding by their company to learn it; the other 10% will learn by self-motivation and by buying a lot of books

Instead, why don’t we preach that when somebody buys or leases software from a company that they ask one simple question: (1) Can you give me a document that tells me the security that you’ve put in your software?

In Asia Pacific (excluding Australia & Japan), that question would knock out 98% of the companies immediately.

2. Again, completely unrelated to Mr. Swartz himself, but the value and dollar amount placed on breaches PER PERSON PER BREACH. It reminds me too much when I was younger and I would read the value of a marijuana bust, knowing that the cops included the weight of the buds, the stems, the roots, the soil, etc. at the inflated street price per gram. I don’t see that correlation. Adam Shostack in a recent Shmoocon event (”Security Breaches are Good for You”) tried to address this also - nobody know the actual amount, and my guess is that it is totally overinflated.

To take a page from RSnake and his proposed (and declined) talk at RSA, the heads of the BSVs (Big Security Vendors) are the biggest snake-oil salesman that I’ve ever seen. Who in their right mind would believe them? Of course, they are now peddling DLP - they’ve pumped hundreds of millions of dollars into it. I’m having a difficult time distinguishing these BSV CEOs from drug pushers.

Cheers.

Sorry about the sound quality on this episode. We used a new laptop that apparently has a really awful sound card. Too late to fix that problem, but rest assured that it won’t happen again!

Regardless of sound quality, this episode is a good one I think.

gem