RSA 2011: Serious Business at the Greatest (Security) Show on Earth.

Without a doubt, the annual RSA conference is the premier gathering of key security leaders from both industry and government.  It is what I like to call “The Greatest (Security) Show on Earth.”  From vendors showcasing innovations (some great, some lacking a market) to some of the brightest minds and leaders in the world sharing their vision for the future of cyber security, RSA 2011 delivered on many levels.

Like any big important event, spirits run high and optimism flourishes. I took away these important observations that I hope my colleagues will remember as memories of wining and dining (and trying to stay dry) in San Francisco fade:

• Where The Security Industry is Going – One of the major themes from this conference was that there is still not enough of a business focus on application security.   As Internet applications serve as the backbone for most enterprises, it is heartening to hear many experts highlight the need for better application security solutions.  Another key point that caught my attention was need for the security industry to be more quantitative rather than qualitative.  A great talk given by Cary McGraw and Jerry Archer focused on how to talk to C-level management about security.  We’ve all heard this kind of presentation before, but these guys concentrated on how to talk to management in terms they can understand and compare to all the other baby birds in the nest that need feeding.  Something we in the industry can all benefit from.  Jeremiah Grossman from Whitehat Security opened with this quote from Lord Kelvin, which underscored the need for more quantitative analyses of cyber security: “When you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind”

• Where the Website Vulnerabilities Are – White Hat publishes its annual Security Statistics Report that provides a true statistical picture of current website vulnerabilities.   This presentation, along with the White Hat report, reinforce that the website vulnerabilities are still out there in huge numbers, across all industries, and new issues are coming up all the time.  Whitehat expects that Cross Site Request Forgery will be a major concern in 2012, which automated source code scanning tools cannot find reliably (although they purport to).

Keynote Addresses of Note:

• Bill Clinton – While much of his address did not directly address information security, it was worth hearing a former President of the United States discuss timely issues, like budget deficits and “insider stories” about Pentagon spending on the Joint Strike Fighter program.  The sheer presence of a former U.S. president at RSA surely helped raise overall awareness of the great work we do as information security professionals.

• Michio Kaku – One of the world’s pre-eminent theoretical physicists, Dr. Kaku gave a riveting presentation on the next 20 years of what we can expect from technology – beginning with things that are possible right now, from growing new hearts from just a few cells to MRI machines that are only one foot cubes.

• Hugh Thompson – Any time you get a chance to see or hear Hugh in action, you will be entertained.  Hugh’s keynote last week was no exception – his second guest was Alex Conran, the host of a BBC program called ‘The Real Hustle.”  Very interesting scams that are pulled off in a Candid Camera kind of approach, with the underlying thought being that if you tell someone what they want to hear, they can be duped into doing things they wouldn’t normally even consider.

Of the three main areas of discussion during RSA 2011 – Application security, Mobile security and Cloud security — AppSec continues to be in the forefront.  This is not surprising, as applications span all three of those areas.  And as we are making our way into 2011, I anticipate that we will see more organizations moving toward comprehensive application security solutions that can be truly quantified.  This next step in information security will allow security professionals to not only protect the enterprise, but also allow it to flourish.

About the Author:

Greg Reber is the founder and CEO of AsTech Consulting. Since 1997, AsTech has helped Fortune 1000 companies meet the challenge of securing their information assets. In 2001, AsTech was among the first to see the emerging threat posed by customer-facing Internet applications and developed an application vulnerability assessment solution which has continuously evolved to meet today’s threat environment head-on..