Third Brigade

May 2, 2009

M&A, RSA, CSA, and why I have been MIA

This has been one seriously busy couple of weeks. Between major changes at work, post-RSA wrap up and reviewing the initial material from the Cloud Security Alliance there has been a lot going on!

Trend Micro Acquires Third Brigade

The company I have been working for, since it started nearly five years ago has signed a definitive agreement to be acquired by Trend Micro. As you can imagine this is a pretty exciting time for us and the reaction in the press and community has been very positive. I'm personally looking forward to this new era and excited about what we will produce. We have been working with Trend over the last 18 months on the Intrusion Defense Firewall and I firmly believe this deal will result in even better products to come. (Press Release) (Media/Analyst Teleconference)

RSA Wrap Up

Digging through the post RSA aftermath takes some time, though there are some worthy nuggets of information. After reviewing all of the keynotes I missed I highly suggest checking out Brian Smith from TippingPoint as he introduces an interesting method of making multiple products work together more effectively. I also recommend watching the Qualys keynote, Philippe Courtot does a really good job of putting security as a service in perspective.

If you missed RSA there are some good summaries out there including Anton Chuvakin's four part series (I, II, III, IV) and Ben Tomhave's summary. Dan O’Neill does a good job of summarizing what was for me, the main event (and I agree, it was unfortunate that it lacked the sumo suits).

Cloud Security Alliance

I finally had the opportunity to read the first document from the Cloud Security Alliance, "Security Guidance for Critical Areas of Focus in Cloud Computing". If you are not familiar with the CSA, it is a grassroots effort to facilitate the mission to create and apply best practices to secure Cloud computing. This first document tackles the critical job of providing definitions for cloud architecture and coverage of 14 domains related to Cloud computing.

Anyone familiar with Rational Survivability will find the Cloud architecture domain familiar as Christofer Hoff has used his blog to vet most of the material present here. Moving beyond the architecture discussion is critical and I sincerely hope this will serve as the defacto standard, it certainly is the most comprehensive and vendor neutral way to define the Cloud I have seen (though I do see discrepancies in the definition of databases as IaaS or PaaS).

The other domains are very much initial material to start the discussion. Having expert authorship in each of the areas was an excellent way to start (Disclaimer: My CTO, Brian O'Higgins contributed domain 15 on virtualization), however an important second version of the document will be developed through community involvement later this year. I'm looking forward to the second version where more industry experts have an opportunity to contribute thereby balancing and enriching the material.

I strongly encourage anyone with a stake in Cloud computing to get involved. They will be looking for additional volunteers in a wide variety of capacities soon.

Posted by justin_foster on May 2, 2009 at 12:16 PM in CSA, RSA, Third Brigade, Trend Micro | | Comments (4) | TrackBack (0)

|

April 24, 2009

RSA 2009 and my Dual Personalities

I promise this is the last post (for a while) before I get back to my regularly scheduled technical content. For a security blogger a retrospective RSA post is almost a requirement so you have to excuse me while I do my duty :)

The theme of the show this year was Collabration (as opposed to the Consolidation theme of years past). This theme couldn't have been more fitting for me as I have begun a new chapter of my own personal collaboration and so has my employer. My experience was much different this time around. Last year I went as a delegate, I audited sessions and crept back to the hotel to ponder what I had learned. This year couldn't have been more different, and mainly because I was fulfilling two new roles. There was Vendor Me (i.e. Booth Babe) and Blogger Me. I audited a record low number of sessions because Vendor Me was busier than I could have imagined. I also had little time to absorb anything because Blogger Me was constantly on the go when I was not at the booth.

First I'll expand on Vendor Me, which I try to keep to a minimum in these writings. My employing company, Third Brigade had some big announcements this week. First off we were announced as part of QualysGuard PCI Connect. Our logo was displayed proudly on the Qualys booth and we are happy to be working with them to fufill PCI-DSS needs. Secondly we were featured in Trend Micro's exciting new launch of OfficeScan 10 among other offerings. I had the immense pleasure of meeting Eva Chen the CEO of Trend Micro at the launch party. We also announced our first Virtual Appliance using the VMsafe-NET API to do IDS/IPS and packet filtration at the Hypervisor level. This is a project I have been heavily involved with and it was great to be able to show it off at a time when VMware just launched vSphere 4. The interest in this new way to deploy security was overwhelming. Finally to top of an excellent week, eWeek named us one of the 10 most interesting products at RSA, which is an extreme honor given the number and quality of vendors on the show floor.

So that's enough about Vendor Me, Blogger Me was delighted to be taken under the wing of none other than Ben Tomhave from The Falcon's View, whom I have been following for a long time. On the very first pre-night Ben, Erin (Security Barbie) & I hung out at the W and I met Dan Kaminsky (of DNSSEC fame). On Wednesday night I attended the Security Bloggers meetup (Photos) and awards show. I met so many of the bloggers, writers and podcasters I have been reading and listening to for years. I had the pleasure of meeting Andrew Hay, Alan Murphy, Christofer Hoff, Martin McKeay, Ira Winkler, Jack Daniel, Jennifer Jabbusch, Jennifer Leggio and so many more I can't even count. After a late night of many parties Ben and I had met so many movers and shakers in Information Security. The universal constant is that these people are extremely intelligent individuals with a passion for security they can't help but share.

The sessions I was able to attend were, for the most part top notch. I particularly enjoyed watching Simon Crosby of Citrix and Stephen Herrod of VMware debate the merits of security API's embedded in the Hypervisor (in which I had my first taste of live twittering). Anton Chuvakin and the panel on logging standards were also very informative. I heard a lot of negativity about the attendance and quality of the keynotes, but for me and many others the positive aspects far outweighed the negatives. RSA is a dycodimey, there are good aspects and bad but it's also what you make of it. Some are there to network, some to audit sessions, others to learn more about the vendors. Its true value is compressing all of these minds and companies down to a couple of blocks in San Francisco for a week, transforming normally geographically challenged communications into a mecca of exponentially accelerated learning, networking, and partnering. For me it was a life changing week that I won't soon forget. 

At four o'clock on Thursday the expo hall closed. An annoying voice boomed over the intercom that the show was over and it was time to pack up and go home. A cheer arose from the exhibitors that were the remaining hall occupants. At first I thought this was simple relief for those that had been on their feet for the past four days, but then I realized it wasn't just that. We had all been there and accomplished much. We were applauding each other for a job well done. We had all played a part in bringing the security world to this patch of ground, therefore personifying the very Collaboration the keynote had encouraged.

Posted by justin_foster on April 24, 2009 at 10:23 AM in Qualys, RSA, Security Bloggers Network, Third Brigade, Trend Micro, VMsafe | | Comments (1) | TrackBack (0)

|

April 11, 2009

Social Security

For my 10th post I thought I would chronicle the amazing experience I have had launching this blog and becoming a more active member of the information security community.

Alan Shimel coined the term 'Social Security' and despite its unfortunate overlap with benefits for the retired and disabled, it really fits. To me 'Social Security' is the act of sharing information security knowledge for the common good. The 200+ bloggers of the Security Bloggers Network give freely of their time and knowledge and many of them have to do so outside of normal work hours in order to keep their posts free of sales pitches ;) Many of the same bloggers are highly accessible on another great tool of the Social Security space, Twitter. Specifically the ever growing list of Security Twits carefully maintained by @quine who's members are a fountain of information.

One month ago today I launched my blog, Developing Security. I'm a Software Architect and I wanted to share my experiences developing (secure) security software. Alan Shimel was gracious enough to add me to SBN providing for an instant readership (and of course, pressure!). I also joined Twitter at the same time and followed many of the members of the Security Twits list. One of the people who noticed that I followed him was Rafal Los. He was setting up an OWASP tour and noticed that my location was on the stop. He asked me if I was aware of the event and going to attend. Long story short, I ended up being involved hosting the meeting and got a great opportunity to meet Raf. Had it not be for Twitter and 'Social Security' that's likely the first of many opportunities that would have passed me by.

Every day, the power of Twitter really continues to surprise me. Once I asked about Javascript exploits (one of my favorite topics) and within a minute I was pointed down another direction that aided my research. Another time I complained about the excessive sound effects on the OWASP podcast and Jim Manicode, who produces the podcast, saw this. After an email exchange Jim agreed with my opinion, and now the latest podcasts aren't loaded with effects. Would I have complained before Twitter? Likely not. By following the Security Twits I have discovered so many more podcasts, webcasts, groups and articles. Often this information appears on Twitter before you can find it on other sources. I've also been pleasantly surprised by the people who choose to tweet about blog posts I have written. The positive comments are really appreciated.

One month and 10 posts in, I'm really enjoying this new world. For anyone remotely thinking about starting an information security blog or joining the Security Twits, I would highly recommend it. Its definitely been a highly valuable excursion for me.


For the next couple of weeks I'll be on the road demonstrating Third Brigade's VMsafe-based Virtual Appliance. If you happen to be at the VMware Partner Exchange in Orlando (April 14 - 16), please drop by the vCloud pavilion. I've been working with a great team on our Virtual Appliance and it's exciting to get a chance to show it off. I'll be writing more about VMsafe and other efforts to apply security at the virtualization layer in the future. It's a project that I have been deeply involved with and it's very interesting subject matter.

The following week I'll be at RSA either at the sessions or at booth 538. I'm also really exited to be attending the Security Bloggers Meetup. These people are celebrities to me and I look forward to meeting them! If you would like to find me at RSA just message me on Twitter @justin_foster.

Posted by justin_foster on April 11, 2009 at 01:01 PM in Justin Foster, OWASP, RSA, Security Bloggers Network, Third Brigade, Twitter, Virtualization, VMsafe | | Comments (0) | TrackBack (0)

|

March 23, 2009

Maintaining a long term Application Security Program

I recently read the outstanding paper "Building a Web Application Security Program" by Richard Mogull and Adrian Lane and it made me reflect on our own Application Security Program within Third Brigade.

Developing secure software is an important skill for every architect and engineer, but when you are developing security software, being anything less than an expert is inexcusable. There is nothing worse than being compromised through software that was designed to protect you, and for a security software company I can imagine nothing more embarrassing or detrimental. (I'll leave the digs at competitors out here.)

Building a Security Program is important, including all the aspects of development, deployment and operations that Richard and Adrian cover. Also important is maintaining the program and culture long term. I thought I would share our approach to keeping the program alive.

Early on in the life of the company, we appointed a member from each of the teams to a security council. Their mandate is to develop and maintain the security program. We recognized that the council had to hold a certain weight to it in order for other developers to take it seriously, so this council is more KGB then LOTR. Anyone serving on the council has the power to halt any release they feel hasn't passed the litmus test. This is not unlike the "Security Buddy" in the Microsoft SDL, with the exception that someone from each team in the R&D group is represented rather than a single security expert.

The council mandates policies and procedures found in many other programs including training, design review, threat models, static/dynamic analysis tools, fuzz testing, and peer code review. The product we produce is deployed by our customers, but the council ensured we covered all aspects of the security program by mandating an internal deployment complete with penetration testing and vulnerability assessment. In the end we had a very robust security program, but we needed to ensure that no aspect of it was forgotten as years and releases went by.

Our answer to this problem was threefold:

We started by making all mandatory procedures auditable. Specifications need to include security impact analysis and must be peer reviewed. Code reviews must be recorded in each case. The evaluation of the results from the analysis tools must be processed and signed off in the milestone checklists. The visibility of these procedures being carried out ensure that things don't 'just fall through he cracks'.

Secondly, the council reviews our security program and SDLC quarterly, ensuring that we keep pace with the times and adjust anything that is not working optimally. A good security program is an evolving one.

Finally, over time members of the council are changed to give fresh eyes and drive to the group's mandate. The council not only provides an important steering committee for our secure program, but enrichment for the members as well. Each member is given areas of investigation as side-projects to report on at the next meeting. Having new people on the council brings new ideas and new areas of exploration.

Posted by justin_foster on March 23, 2009 at 02:46 PM in Secure Development, Third Brigade | | Comments (0) | TrackBack (0)

|

About

The views and opinions expressed on this blog are my own and in no way represent the views or opinions of my employer, Trend Micro.

 Subscribe in a reader

Archives

Twitter Updates

    follow me on Twitter
    Lijit Search
    Creative Commons License

    Copyright © 2010. This work is licensed under a Creative Commons Attribution 2.5 Generic License.

    Some images used with permission from istockphoto.com, clipart.com and sxc.hu subject to individual copyright.