Thursday, March 13, 2008

Italian Security Landscape

The first sentence: I'm disgusted.
Hi folks, today I've been very frustrated after a security talk in Bologna University @ Cesena. Today a Ravenna's "big" company took a talk in our university about their security vision. The talk was a totally mess. The talker ( security chief ) used a poor and wrong security language miss-understanding some of fundamental security words, like for example: Hacker, Intruder, Exploit Kid and so forth. He presented a non clear vision, jumping from one slide to another without any logical step, he talked about state firewall and about "Http Firewall" ( what's that??) tracing some definition of Intrusion detection saying that is the same thing of a state firewall (are you crazy?). He presented the Security Engineering professional profile as a man who has to use some already made products, called bricks ! He didn't understand what a penetration testing is, he didn't realize what a red teaming is and what kind of security engineering is required in the world so far. He presented a totally wrong graph where he explained that BoF is the more dangerous rather then a "sql-injection" (it's just a stupid example) because most spread without thinking that is through sql-injection that an attacker may cause an BoF [Marco Ramilli, Buffer Overflow Technique, ICT-Security]. Again, lots of wrong graphs and lots of wrong sentences that I don't wanna write in my blog.
I'm really sad, this company (I dont wanna say the name) is working for Ferrari, Banca Intesa, Banca San Paolo, lots of big and rich Italian companies. It's unbelievable that big companies like that are abandoned to this "security company". 
Again, I'm really sad. Lots of companies that wanna make security but don't know anything about it. They (he) didn't know any kind of security books and they didn't know about any kind of security literature. The security chief is a physician converted into an security engineer. Actually I'm thinking on a technical paper written by Stefano Zanero about a similar topic. I don't remember which is the paper and where you can find it but he said something like that:
" In our country lots of companies wanna make security, but only few are able to think in security, being a good security companies " (It's not the exact sentence, just a little memory about his technical report). I totally agree with him.
Yet, another bad history.


Marco Fabbri said...

I'm no security expert (say instead "kind of interested"), but I spotted a non trivial amount of FUD in the talk; maybe it wasn't conceived for a technical audience and it resulted somehow "marketing" oriented (about selling a shiny company image - at least this was the feeling). I would have appreciated a clearer vision of the interplay between the activity as System Integrator (Lego(tm) building blocks) and the activity as Security Consultant (especially from the point of view of "designing for security").
Talking about actual professionals and italian IT, being it somehow a young field of activity, (imho) much of its panorama is characterized by opportunity and occasions; i.e. some roles happens to be assigned this way, it isn't a matter of choice or bad will, there were no alternative (even better) solutions, and there won't be any, at least until someone beats this inertia. Large systems (and large companies) tend to manifest that specific property. Another point of fear, uncertainty and doubt concerned the interplay between economical/organizational aspects and technological aspects; what is the role of a software engineer in re-shaping organizational processes and how this re-shaping challenges the software systems design process?
Seeing the glass half full, there's plenty of room for improvement.

Just my 2 cents.

Marco Ramilli said...

Thank you Marco for your comment !