Gary McGraw interviews Dan Geer
In his Silver Bullet Security Podcast, Gary McGraw, CTO of Cigital, recently interviewed Dan Geer of Verdasys.
First, a discussion of the evolution of the Risk Management field of information security.
- A focus on risk management has moved into the business mindset… Business are realizing the dollar value of the information they hold.
- A relatively new phenomenon, workers with formal education in information security are beginning to enter the field
Dan discusses his paper: Cyber Insecurity, the Cost of Monopoly (PDF) which addresses the tradeoff between diversity versus homogony.
Dan describes the uselessness of the concept of “security through obscurity.” (Bravo!) He asserts that must assume people will cause a system to fail in some way. His advice, plan to reduce cost to recover from a failure. Mean time to repair beats mean time to failure. He doesn’t argue to forget about MTTF, focus must be on both sides.
Gary and Dan discuss secure software engineering, a topic of particular interest to me.
- Dan identifies a “security product” as anything that has “sentient components,” ie, if someone will actively try to break into it.
- Software security requires monitoring. The development process, the testing process, and the execution of the software must be actively monitored by people and processes.
Finally, the two discuss data security:
- The value of a corporation’s data is growing.
- The cost of the data exceeds the cost of the systems that house it.
- The total volume of data is increasing exponentially (ala Moore’s Law).
- Other security concerns pail in comparison to the “cost” of data theft because of the volume and value of the data.
Great interview Gary, I look forward to the next installment.
Bill