Show 030 - An Interview with Ken van Wyk

On the 30th episode of The Silver Bullet Security Podcast, Gary talks with Ken van Wyk, principal and founder of KRvW Associates. Ken was the first employee of CERT and has been an active member of FIRST. Ken and Gary discuss why the discipline of computer science doesn’t learn from failure like mechanical engineering does, how we’re making steps backwards in computer security, whether focusing on web applications is a good or bad thing for software security, and Ken’s recommendation for moderately-priced red wines.

• Ken’s personal page
• KRvW Associates
• CERT
• FIRST
• Secure Coding
• Incident Response
• SC-L mailing list
• From the foreword to Secure Programming with Static Analysis - blog entry with photo of Tacoma Narrows Bridge
• TJX’s stock increase since the January 2007 security breach
• The Addison-Wesley Software Security Series
• Barbera D’Asti wines

 

 Show 030 - An Interview with Ken van Wyk [21:48m]: Play Now | Play in Popup | Download

This entry was posted on Friday, September 26th, 2008 at 5:23 pm and is filed under Shows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “Show 030 - An Interview with Ken van Wyk”

1. Stephen Evans Says:
   September 30th, 2008 at 1:09 am

   Hi Gary,

   Another home run; great questions and answers, plus a dose of software security history is always a bonus. Great insight from him about monitoring at the application level.

   A couple of comments:
   - Ken said his SC-L list was stagnant. I subscribed to it not long ago and found he was too heavy-handed as a moderator (certainly he is not unique!!!), jumping in too quickly to declare a thread off-topic. So I stopped posting and reverted to lurking.

   - Is there an article where you have expounded on your misgivings about focusing too much on Web application security? On one recent podcast you touched on it (after you went to Europe and spoke at an OWASP Conference) and you asked Mr. van Wyk a question about it (at 17m44s), so I know it’s bugging you a bit As he stated, and from my previous work on both thick client & web apps, session management is the main area absent from the former… I am genuinely interested in learning what your opinion and thoughts are on this.

   Stephen

2. gem Says:
   September 30th, 2008 at 1:01 pm

   Hi Stephen,

   Thanks. It’s always enjoyable to chat with people as knowledgeable as Ken. I told him about your posting, so hopefully he can address the sc-l thing here.

   There is a brief mention of the overfocus on Web apps in mh informIT article below. Perhaps I should write about that as a complete topic!

   http://www.informit.com/articles/article.aspx?p=1237978

   You can also find some discussion about that in “Software Security” http://www.swsec.com on pages 20-23.

   For the record, we must focus some attention on securing Web apps…just not ALL of our attention.

   gem

3. KRvW Says:
   October 1st, 2008 at 8:52 am

   Hi Stephen (and Gary),

   Thanks for the kind words all.

   As for the SC-L comment, I’m more than surprised you would feel that way. Most often, I’m accused of not being heavy-handed enough on the list, and giving people far too much leeway in straying from topic.

   It’s true, I have stopped a couple of threads that strayed (IMHO) too far, but in every case, I did so by saying something like “let’s please let this thread die.” Even that was in no way an edict, and I always try to give people plenty of freedom to say what they please — so long as it stays within the published charter. (The primary rule there is civility; I will mercilessly crush flame wars and gladly be reprimanded for that.)

   So, I’d certainly invite you and anyone else who may feel as you do to “come back” and feel free to post. If you feel you’ve been wronged, then bring it to my attention. I am always open minded and willing to hear your case. On that you have my personal guarantee.

   Cheers,

   Ken van Wyk

4. gem Says:
   October 1st, 2008 at 3:13 pm

   Thanks Ken. I, for one, really enjoy sc-l. To me it feels like home for software security. For those of you who have not subscribed, see the link up there under the podcast in the links section.

   gem

5. Stephen Evans Says:
   October 2nd, 2008 at 2:25 am

   Thanks, Ken, for that response; looks like I mistakenly judged based on too small a sample. And I promise that I’ll have fewer beers inside of me when I post again

   Stephen

6. Stephen Evans Says:
   October 2nd, 2008 at 1:25 pm

   Hi Gary,

   Addressing your response at #2…

   Since ISC2 has just announced their new certification, Certified Secure Software Lifecycle Professional (CSSLP), and have been seeking out collaboration informally with OWASP, I think this is a particularly relevant topic. As my #1 software security guy, I want to hear from you what you think about it.

   Sounds like an article to me

   Cheers,
   Stephen

7. gem Says:
   October 2nd, 2008 at 3:06 pm

   Hi Stephen,

   SANS is also taking a swipe at certifying developers. I am skeptical of these approaches. I wrote about this back in a darkreading column you can find here, entitled “Certifiable”:

   http://www.darkreading.com/document.asp?doc_id=123606

   When I get some time I will take a look at the CSSLP more closely.

   gem

Leave a Reply