Home » Data Protection » Application Security

Why CSOs Should Care About ShmooCon

CSO Senior Editor Bill Brenner on why high-level security execs should pay more attention to a hacker fest like ShmooCon.

By Bill Brenner, Senior Editor

February 07, 2010 — CSO —

WASHINGTON, D.C. -- Many CSOs view ShmooCon as an event of small importance. You don't see the suits and ties that are on display at RSA. In fact, to those who haven't attended, this conference is just a place where twenty-something hackers come to get drunk and throw TVs out hotel windows. Another crazy Black Hat/Defcon-caliber conference, more than one high-level security exec has told me in the past.

As with any security event, things can get rough around the edges. The security podcasters' meet-up on Saturday night was more like a Motley Crue concert than anything else. The podcasters on stage resembled the head table at a Klingon wedding. But drunken antics conference-wide were minimal, and some decent food for thought came out of the podcasting event despite the rowdiness.

The larger reality is that a lot of important talks happen here that have implications up and down the IT security food chain. It's also important to note that a lot of the young ruffians who come here are the very people who find the security holes so they can be fixed. They also build a lot of the technology CSOs lobby their upper management to invest in.

Some examples:

Tyler Shields of the Veracode Research Lab gave a talk about those BlackBerry phones security execs can no longer live without. His message: The BlackBerry is full of weaknesses an attacker can exploit to target the larger enterprise network.

Many CSOs have become equally dependent on their iPhones, and they are increasingly being used to conduct business. Guess what? Those devices are equally at risk, according to Trevor Hawthorn, founder and managing principal at Stratum Security. He gave a presentation on how the bad guys can attack through your iPhone apps and tap into your GPS to track your whereabouts.

Presenters also offered new insight into how attackers are targeting the P2P and social networking platforms your employees use all the time on company-owned computers. [See Inside FarmVille's Sinister Underbelly and P2P Snoopers Know What's In Your Wallet]

Another running theme this year was about the failure of security spending; where companies spend millions to acquire all the best-of-breed security technology they can find in the rush to check off all the boxes on a compliance checklist but install it all so haphazardly that they actually increase their risk.

While most of the talks were tech-heavy, a lot of the discussion in the presentations and in the hallways were about the language disconnect that often exists between IT and upper management and how best to close the gap.

All important issues that must be addressed, from the IT basement to the top-floor executive boardroom.

We can't live in silos doing our individual jobs and pretend the rest of the company doesn't exist. In the battle to secure cyberspace, we're all in this together.

Read more about application security in CSOonline's Application Security section.