The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

(Beginning with this episode, Silver Bullet will be available as a 192k MP3.)

• Emergent Chaos blog
• The New School of Information Security
• Microsoft’s SDL
• Cigital’s Touchpoints
• IEEE Security & Privacy magazine
• Wassily Kandinsky
• The CardSystems breach (2005)
• Thomas Pynchon

This week has been an interesting week in the virtual security blog world!  Simon Crosby of Citrix/XenSource stated in his podcast that he felt the virtualization vendors like VMWare and Citrix didn't have the competence to address the security challenges of virtualization and Chris Hoff blogged about it saying that the statement is a cop-out and that they should do more in securing their platforms. Alan Shimel also blogged on the topic and agreed with Hoff and I blogged about it agreeing with both Simon and Hoff. 

To restate my position on it I think that Simon is correct in that virtualization vendors like VMWare and Citrix do not have the expertise today to address all of the security challenges.  I also agree with Hoff that they should address more of the security challenges.  So this leads me to my own opinion that some of the virtualization vendors will acquire security technologies to differentiate  themselves from others and acquire the expertise.  Many say that the virtualization market will become commoditized and  that security can help protect its value. 

Think about it.  Would you rather buy a Virtual Environment or a Secure Virtual Environment?!

So.. Onto the topic of this blog!  Is Virtual Security Technology A Prime Target For Acquisition?

I'd love your opinion so please comment!!

What triggered my blog on this topic was this rumor I heard today.  Some buzz started today that one of the virtual security startups just agreed behind closed doors to be acquired by one of the big guys.  But, who could it be?  Reflex Security, Catbird, Blue Lane, Altor Networks, VMSight, Embotics, etc.

I have an idea of who it could be but don't want to spread rumors that could be false.  The other question is whether or not there is an atmosphere of acquisition frenzy brewing in the virtualization market. 

Please comment on your thoughts - Just click the comments link bellow.

The business plan is as much for them (meaning your senior executives and the like) as it is for you. So you need to start the plan off with a bunch of information about them, before you get back to what you are going to do.

Running time: 6:45

Intro music is Jungle and we end with Ben Folds' "Don't Change Your Plans." Obviously the plan must adapt given the dynamic nature of our businesses, but by building the plan with the customer in mind you won't be changing it based upon the way the wind blows. 

Direct Download: 13_Pragmatic_CSO_Podcast_13.mp3

Subscribe in a reader

Photo Credit: nbonzey

Simon Crosby, CTO of Citrix/XenSource made a pretty bold statement yesterday that has some people agreeing with his position and others disagreeing.  In an interview with searchsecurity.com he publicy stated that virtualization vendors are not competent to try and secure virtual environments and therefore looks to 3rd party security companies to solve these concerns. 

Listen to the podcast here

Who are these 3rd party security companies?  Well, there are a number of startup companies such as Montego Networks, Blue Lane, Catbird, Altor Networks as well as some of the big guys that are working on helping the virtualization vendors with these security concerns.

I tend to agree with Simon that the virtualization vendors don't currently have the expertise to deliver appropriate security controls for virtual environments BUT should they?

Well, Chris Hoff who blogs on the topic of virtualization security a lot seems to think that they should deliver security tools and and by not delivering solutions to secure the environment they are doing their customers a disservice.

"Further, I don't expect that the hypervisor should be the place in which all security functionality is delivered, but simply transferring the lack of design and architecture forethought from the hypervisor provider to the consumer by expecting someone else to clean up the mess is just, well, typical."  Said Chris Hoff in his blog on this topic

I've spoken with a number of research analysts, venture capitalists and customers on this topic over the last several months and whenever I tell them what Montego Networks is off building they ALL seem to ask the same questions.  One of those questions is:  Why isn't VMWare or Citrix/Xensource doing this?  My response has always been that "they have publicly stated they do not want to and plan on leveraging an eco-system of security vendors to provide this". 

Well, Simon's public statement is right in line with what I've been saying all along.  The other question I get when I describe how Montego has security built into a virtual switch we've created is; shouldn't this technology be in the VMWare Virtual Switch?  And my response is "absolutely!  But it isn't!  so, someones got to do it."

So, I agree with Chris Hoff and I also agree with Simon Crosby.  The virtualization vendors don't have the expertise BUT I feel they should provide SOME security tools to ensure the environment is safe. 

There are some virtualization vendors that I have spoken with that are planning on using security as a differentiator and its my prediction that one of them will acquire security technology to do this.   Its often easier to acquire vs. try and built it yourself given you don't currently have the expertise.

So who's problem is it to solve??  Virtualization Vendors or Security Vendors??

I see the finger pointing game starting!

-John Peterson

CTO / Montego Networks

ebizQ published a podcast that Mike Rothman invited me on dealing with vendor consolidation and "big is the new small".  It is always fun talking with Mike and we had a good time.  I like that they also transcribed the podcast if you just want to read it.  You can get it here.

This week we get back into the Pragmatic CSO methodology, and jump into Section 2: Building Your Pragmatic Security Environment. The first step in S2 is Step 4 or Building Your Security Business Plan. Why do we need a business plan anyway? What's the point?

All is revealed in podcast #12. Well OK, not all - but I lay the groundwork on why the business plan is probably the most important of the 12 steps and what goes into building it. Over the next 2 months or so, we'll be delving deeply into the business plan and the associated efforts to "sell" the strategy to the senior team.

So, buckle up as we take off for the next leg of the P-CSO journey.

Running time: 5:52

Intro music is Jungle and I sign off with Acquiese from Oasis' Masterplan album. Since the security business plan is YOUR Masterplan, I thought that was appropriate.

Direct Download: 12_Pragmatic_CSO_Podcast_12.mp3

Subscribe in a reader

Photo Credit: Peter J. Bury - IRC