Title: Pentultimate Hack – Manipulating Layers 8 & 9 of the OSI Model (Management & Budget)
Speaker: Rafal Los (aka Wh1t3Rabbit)
This talk was well prepared but not as dynamic and entertaining as the Schuyler Towne talk (fortunately I attended the Towne talk and they had coffee by now). It had alot of buzzwordology and business clichés in it but I mean that in a good way. Knowing business-speak is unfortunately a cost of doing business so it was grating but valuable to attend this talk. He spoke of how security is typically a bolt on or an afterthought and really needs to be thought of as part of the core business plan. What often happens is some application that is going to generate $20 million in revenue gets audited and found to be full of security holes and that justifies $750,000 to harden it up. It usually takes those big money projects to drive the security side of things. He also spoke of the plight of the CSO or pen tester, specifically that they are implicitly to blame if any compromise happens but it is actually under pressure of the project manager that products ship despite the warnings of pen testers or the CSO. So he recommends requiring the project manager to sign a document absolving the CSO or pen tester(s) of responsibility if he/she intends to ship a product against recommendation to the contrary. He also recommends schmoozing the legal counsel as that gives political leverage in these situations.
Summary: this guy is giving very good advice to CSOs and pen testers which, if they heed it, will create a climate in which vulnerability scanners should become more popular.