Re: Things to watch: AppSec Keynote by Alex Stamos.

[Andreas Lindh <andreas.lindh () isecure se>]

This is quite possibly the best keynote that i have ever seen. My 
colleague Tero asked “how many CISOs do you know who could give a talk 
like this?” and my response was “how many security pros do you know who 
could?”. The truth is, there isn't a lot of people in security (or 
otherwise) with insights like this.

One thing that especially caught my attention: at one point, Alex talks 
about that some companies writing a web app, then buying a WAF to secure 
the web app, and then hiring a consultant to come in and install and 
configure the WAF, and after that the web app is "reasonably secure". 
Here’s the thing; this might be true in the US but in large parts of the 
rest of the world, that consultant will be a sales engineer-type who is 
actually a *nix sysadmin and who may be great at Linux but doesn’t now 
shit about web apps. The reason for this, as most people know, is that 
security shelf products are often marketed and sold as self-playing 
pianos, so someone who has “BigIP” or “Imperva” as a LinkedIn skill most 
likely knows a lot about installing and operating the product, but not a 
lot about what the product actually does. Bottom line; that web app is not 
even reasonably secure.

(shameless self-promotion: I wrote a post related to that subject a while 
back: 
http://3vildata.tumblr.com/post/109188919632/about-the-infosec-skills-short
age)

Andreas



On 2015-02-09 16:15, "Dave Aitel" <dave () immunityinc com> wrote:

> https://www.youtube.com/watch?v=-1kZMn1RueI
>
> Just an unexpectedly GREAT keynote by Alex Stamos. I mean, not that I
> thought he would give as crappy keynote, but in fact, good keynotes are
> few and far between even when people have it in them.
>
> Even the Q&A section is great. So go watch it now. He comments a bit on
> FireEye, Incident Response, Application Security.
>
> -dave

Attachment: smime.p7s
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave