
All Those Companies that Can't Afford Dedicated Security - 127001brewer
http://www.schneier.com/blog/archives/2013/02/all_those_compa.html
======
tptacek
After "what's the best new way I can find people who can write code fast and
who will have a talent for finding security vulnerabilities", this is the
issue that occupies all my cycles.

Like most firms working in security, our bread is buttered by large companies,
who are bidding very high numbers for (in our case) appsec testing.

But by number, a conspicuously large fraction of our customers are mid-late
stage startups, and taken as a whole, we talk to more startups than any other
kind of business.

Startups are particularly exposed to the security market problem. They have
very little infrastructure and they are spending most of their cycles just
trying to stay in business and find traction. At the same time, they've
managed to outsource all of the technical requirements of their businesses
_except the part which bears the highest security risk_ , which is their
custom code.

What can we do about this? I talk to YC companies all the time, and it's
frustrating. I am always good for a phone call and we'll even poke at startup
apps pro-bono (we love working with startups) but that help has to get in line
behind our paying clients, all of whom can be counted on to appear from behind
a dark corner at any moment and swallow 2-3 weeks of our time whole.

I am seriously all ears for ideas on how security people like iSEC and
Matasano can help early-stage startups without invoicing half+ of those
startups last funding round.

~~~
lifeisstillgood
I have always assumed this is about the editing of choices - there is a vast
world of OSS choices. And I cannot keep up.

I would happily buy Matasano-branded cloud servers that talked the
AWS/OpenStack API (ie _were_ actually run there) but were imaged off one
baseline that was Thomas-Approved.

I dont trust other people's Chef or Puppet recipies to install nginx for me. I
would trust yours.

That means I would start writing my application on your branded stack. If that
means I get to only use vi on OpenBSD then - hey there is real badge value in
it still:-)

And if actually I can only deploy my code to your secure server via a CI
process, all the better.

After that we can talk appsec, and scaling.

~~~
danielweber
There was a guy in the Pinboard Prosperity Cloud who was working on best-in-
class secure VMs. I haven't seen a follow-up but it's only been several weeks.

<http://static.pinboard.in/prosperity_cloud.htm>

~~~
lifeisstillgood
Thank you - I write six paragraphs to describe your six words - "best-in-class
secure VMs". That's what I meant - what he said.:-)

------
mattmanser
_Today, it's increasingly rare for organizations to have bespoke security,
just as it's increasingly rare for them to have bespoke IT. It's only the
larger organizations that can afford it._

The rest of the article is based off this premise, which I can't agree with at
all.

It's the micro and small companies that are using off-the-shelf cloud
software, not the mid-size companies. I know of two software vendors in my
city alone that sell project management software to mid-size companies, both
offer bespoke customization on top of a core product (one written in-house,
one Dynamics CRM) and they are both doing a roaring trade in completely
different markets.

All of these off the shelf cloud systems offer only the most basic business
functionality when you actually get down to it. Salesforce just manages sales.
That's all. To get it to do more you need to do bespoke customisation. And
then you find out you can't just pay someone to build some software and let it
just run, you need to be able to change it as your market and needs change.

EDIT: My impression is that off-the-shelf cloud software is replacing shared
excel spreadsheets and Access DBs. But this is all based on gut, I'd be
interested to see any evidence supporting either me or Bruce.

------
stcredzero
The big hole here, is that security in this day and age involves preventing
phishing attacks. The only way that you can protect users from their own
stupidity is to lock them down.

Google Chrome and other walled gardens may win, because they come locked down
by default. Corollary: Open Source may remain a thing for geeks only because
of this.

~~~
snowwrestler
True. To fight phishing without locking down users takes staff and software to
scan the network in real time, to catch phishing attacks as they succeed but
before they get anything. That stuff is expensive.

------
joonix
I'm not in IT nor am I a software engineer. That said I'm tech proficient and
was an amateur coder in a past life. Security seems like it has a solid
future. What's the best way to train for a career (change) in IT security?

~~~
tptacek
You have successfully slain the red wumpus. His bleeding corpse lies before
your feet. Your quest continues; choose your own adventure:

* If designing and enforcing rules and policy interests you, turn to page 23.

* If deploying and managing complex technical infrastructure interests you, turn to page 12.

* If being a part of teams that ship products is what gets you up in the morning, turn to page 45.

* If being a part of teams that tear shipping or soon-to-be shipping products to shreds is more your thing, turn to page 34.

Which will you choose? I'll tell you what the page says.

~~~
didsomeonesay
Page 31 please :)

~~~
pbiggar
You have a career in security waiting for you.

