Friday, November 09, 2007

Live Online Roundtable (Episode 1)

WhiteHat Security wanted to try something different from the ordinary slide-ware Webinar. So yesterday we hosted a live and un-scripted online Rountable discussion complete with audience participation. Robert “RSnake” Hansen, CEO of SecTheory, Chris Paggen, senior manager, application delivery and network security business unit at Cisco, and Jordan Wiens, Security Beat Editor at Network Computing, joined in and offered their personal insights on the topics of vulnerability assessment, web application firewalls, and the payment card industry data security standard. But things were made even more interesting and entertaining when we learned that WebEx allowed us draw on each others pictures :)



A LOT of attendees showed up and we got a lot of positive feedback at the end, some showing up on blogs, which really made the event a success. This is something we'll definitely do again. In the meantime, you can download or replay the recording.

1 comment:

Jeremiah Grossman said...

Feedback from Chris Conacher....


My thoughts are:

Format:
* I love the chat format because you actually get a sense of the
problems that the experts' minds are having to wrestle with and what
they really think about and struggle with
* It was like turning on the radio on a Sunday to just kick back and

listen to people discussing interesting things
* Not too formal, but controlled to where everyone is getting a say
and the questions are directed to the right people for main content
with
ancillary views from others
* Not a pissing match (difficult to achieve with a lot of security
people)

Experts:
* You and are R Snake are always worth listening to.
* You had a really good mix of ego's as no-one was trying to prove
their
ground is best and it did not turn into a pissing match
* Experts admitting they don't have the answers is always nice,
especially when they explain why and what the issues are
* Having experts identify the issues and what the real questions
are is
just as important even when the answers are available as it is only
way
to understand what the answers mean (i.e. context / scope)

Content:
* The application security stuff was great(of course) in that it
set the
problem set
* Loved the scope, exploits, SDLC, network solutions, WAFs,
frameworks, education, etc
* Nice to see the wider Security Lifecycle addressed rather than
minutiae that is irrelevant in the context of an enterprise
* The issues raised actually made me think that the SDLC we are
implementing should be as good as we can get it which was a great
takeaway / validation
* The movement onto WAFs as the technical solution du jour was very
useful (the antithesis to the marketeers)
* Discussion of limitations in relation to the problem set was great
* The bandaid concept with regard to using WAFs as a stop gap
against
known vulnerabilities in a production code base that is not going
to be
remediated for a while is a real world solution I can use rather
than a
technology marketing overview - that was a concrete takeaway that I
can
investigate and discuss as an approach
* Excellent doorman / clubfight analogy :)
* Not sure if PCI was the best use of the available time (maybe
because
I have been through it and handling this kind of thing has little
to do
with security - a large financial corporation I worked for
addressed/met
the whole PCI application security requirements by having application
firewalls, a sdlc & and an automated test before production)
* It was interesting to have a front line disucssion of PCI
* That people like R Snake are being approach and what capacity
* Good to hear R Snake stating his perceived value in being
engaged in
that activity
* Again marketeer antithesis is always good
* Nice to see the mix between the network and application security
views
in terms of solutions to the problem set

Balance:
* About the right concentration on Application Security
* Not sure about PCI as one of the topics, but was given about the
right
amount of time
* Nice winding up with the 'What is the coolest thing...'

Audience Participation:
* Thought the level was about right (i.e. trend input, aggregate and
pose in a way that continues the discussion)
* I have been in these things where it ends up more like talk radio
with 'Mr Smith from Brighton asks...' and it is some dumb question.
All
that does is make sure that I will not go to another.
* Not sure if you can make it more interactive without detracting from
the discussion.
* I.e. if interaction is limited it can be frustrating as people
want
to get their input heard.
* If there are too many options for input it can just be distracting
and people just give up.
* In short if there is a way that I can get my specific questions
out
there and answered (rather than having to spend money) then great
otherwise I would stick to the audience participation lite that you
have
here - again trend input, aggregate and pose in a way that
continues the
discussion.

My 2c.

Chris