This is not your father’s analyst conference. In fact probably not your grandfather’s either. Strong focus on technology? Check. Without the other stuff. And it was no surprise that 90% of the attendees held technical positions.
Despite the madness of ComicCon happening simultaneously, Catalyst 2010 (not quite over yet) took a number of technology industry issues and dissected them down to a granular level.
Of note, I attended two 4-hour workshops. One on securing cloud environments and another focused on building security into the software development lifecycle (SDLC).
Ramon Krikken and Kirk Knoernschild put together a formidable model and plenty of backup around building out software that is developed and published with secure code.
As a result of so many organizations NOT developing software that is free of vulnerabilities or exploitable code, they pointed out that technologies like Database Activity Monitoring (DAM) are rising in demand because of the simple fact that once vulnerabilities are discovered or exploited, they can’t be remediated immediately – and for the fact that its very difficult to ‘get it right’ in the SDLC, 100%.
Its no shocker that in an anecdote, the analysts talked about a situation where one of them in their former life as a developer worked for a company that had a system set up with a single user ID/PW connector to the dev/test database. The developers weren’t granted access to the production db’s, but found out how to access it as someone had outputted that ID/PW to the log files. Otherwise ONE person owned the ID/PW’s to production, and despite the fact that the developers knew how to gain access by just going to the log files, no one raised the issue. What if there was a rogue developer with an axe to grind?
It all speaks to the sensitive nature of the database itself, and the critical information that resides in there. It brings up the fact that there are often process issues associated with access controls to the database also. What if that one person with the keys to the kingdom was hit by a bus? Does business cease to exist as a result? Contingency planning anyone?
All in all, fascinating and informative presentation by both analysts, and you can probably find more out about their research by heading to Burton’s site. I’d recommend getting yourself to a Catalyst conference at some point based on the technology knowledge you’ll walk away with.
Part II will address the cloud security workshop which was equally as informative.
Comments