Blogging from CEC: Day 1

Monday Oct 02, 2006

Today is the start of Sun's Customer Engineering Conference (CEC). It is a huge geekfest with thousands of technies descending upon the Moscone Center in San Francisco for several days of executive briefings, technical training and discussions, community building, and of course a lot of fun too. I am currently sitting during our morning keynote where Jim Baty and Dan Berg kicked off the event and Don Grantham is ralling the team discussing recent successes and outlining the opportunities that lay before us. Honestly, for a sales guy - he is doing pretty well in front of this highly technical and often cynical audience.

This year, I will be giving two talks (each given at two times). First, I will be joining Jon Haslam to talk about how DTrace can be used for security monitoring, forensics and (in some limited cases) control. This was a very fun talk to work on and I am very much looking forward to giving it tomorrow. DTrace is such a cool technology and I think we are only at the tip of the iceberg in uncovering ways to use it. This session will include a bunch of practical demonstrations based on both newly developed and freely available code. It is my goal to post the presentations and code snippets once the conference is over.

My second talk is focused squarely on architectural patterns for security. This talk will leverage the Sun Systemic Security work already published as its foundaiton, but it will go deeper into how some of the architectural patterns can be instantiated and realized using Sun and partner products. Again, I think that this should be a lot of fun showing how the higher level abstract components can be made real to solve actual problems facing our customers today.

In addition to my sessions, there will be quite a few security talks happening on each day of the conference on topics ranging from Solaris, Trusted Extensions, Secure SOA, Privacy and Compliance, and even Kernel Forensics. Lots of great speakers and sessions so be sure to stop by and hassle them. *grin*

Now, like all speakers, I hope that people will enjoy my sessions and will leave with new ideas, information and a better understanding of the topics being covered. Certainly, the sessions at CEC offer people great opportunities to learn new topics or gain a deeper appreciation for ones they already know. That said, I honestly believe that most people, myself included, get even more out of the community interaction happening before, during and after the conference - the hallway discussions, the brainstorming over breakfast, the deep dives over drinks, etc.

So, if you would like to chat with me about anything - career paths at sun, technical leadership and development, information security, or any other topic - please feel free to stop me in the hall, call my on my cell, message me on SMS or AIM. Gotta love a conference where we are encouraged to remain fully connected! If you do not know my contact information - check it out in CEpedia.

Take care,

Glenn

Technorati Tag: OpenSolaris Solaris cec2006 security

2nd Annual NIST Security Automation Workshop

Friday Sep 22, 2006

This week, I had the pleasure of speaking at the 2nd Annual NIST Security Automation Workshop held at the NIST campus in Gaitherburg, MD. Overall the conference was wonderful with both great sessions and of course a lot of great discussions in the halls. Day one of the conference was primarily about vision, strategy and direction with great talks from speakers such as:

• Tony Sager, Chief, Vulnerability Analysis and Operations, NSA
• Ron Ross, FISMA Implementation Project Lead, NIST
• Richard Hale, Chief Information Assurance Officer, DISA
• Dennis Heretick, Chief Information Security Officer, DOJ
• Eustace King, Deputy Director, OSD/NII-IAD
• Annabelle Lee, Director, NCSD/DHS

Day two was focused more on technical matters especially those related to the following efforts:

• Common Configuration Enumeration (CCE)
• Common Vulnerabilities and Exposures (CVE)
• Open Vulnerability and Assessment Language (OVAL)
• eXtensible Configuration Checklist Description Format (XCCDF)

as well as their interaction and alignment toward the goal of automating security configuration application and assessment. There were also some very interesting vendor presentations from companies who were developing security assessment and configuraiton tools that leverage these formats. Really cool stuff. I am personally very interested in hearing from Sun customers who are tracking these projects and interested in seeing security guidance, alerts, etc. published in the XCCDF and OVAL formats.

All (or at least most) of the presentations can be found here and I also have a copy of my presentation here. My talk was primarily a look at Solaris (and Trusted Solaris) security... where we have been, what we are doing today, and where we are going. Along the way, I also discussed some of the ways in which we have collaborated with academia, industry and government to better understand our customers security requirements, improve the security capabilities of our products, and help make cyberspace a little safer for everyone. Much of that collaboration and teamwork still continues to this day as we work with organizations like CIS, NSA, DISA, NIST, and Mitre (for example) to continue to improve the security capabilities of our products and services, and I, for one, can't wait to see what's next!

Technorati Tag: OpenSolaris Solaris security

Will you be in NYC on June 27th? (FREE PASSES)

Tuesday Jun 13, 2006

[Read More]

RSA 2006 Security Conference Photos

Tuesday Feb 21, 2006

Previously, I wrote about Sun's speaking presence at the RSA security conference this year. Well, now that this year's conference is in the books, and I wanted to share some pictures of the event with you.

The RSA Security Conference was at the Convention Center in San Jose, CA this year.

Sun installed a number of Sun Ray 170 Ultra-Thin Clients around the conference center allowing people free access to the Internet. The Sun Rays were also featured through the Sun booth on the show flow. One small note: if you are using publically available kiosks such as these - please be sure to log yourself our of your sessions and close down the browser! I can't tell you how many times I came across someone's e-mail or browser session (where they had neglected to log themselves out). You would think privacy and security would be more of a concern for attendees at a conference like RSA, but then again...

Here we have Mark Thacker (Product Line Manager, Solaris Security and Solaris Trusted Extensions) working on the show floor setting up a demonstration of Solaris 10 based on his recently published HOWTO: Eliminating Web Page Hijacking Using Solaris 10 Security.

Sun Security Illuminati - Gilles Gravier (Chief Security Strategist) [left] and Jim Hughes (Sun Fellow) [right] pose for a picture on the show floor. Jim hosted a BoF session on day 1 of the show titled "Storage Security - Use of Encryption to Protect Data at Rest".

A quick screen shot of Solaris Trusted Extensions. "TX" (as it is affectionally known) is the successor to Trusted Solaris 8. Instead of being a separate product, however, Trusted Extensions will be offered as a piece of software that is layered on top of Solaris 10. TX was announced at RSA and will be available to customers (in beta form) in April.

Another area of the Sun Booth focused on Secure Service Oriented Architectures (or Secure SOA) for short. Rafat Alvi gave an excellent talk on Secure SOA to a standing room only crowd on day 1 of the conference. It was obvious that this is an area of intense interest judging by the way Rafat was also mobbed as he manned the the Secure SOA area of the Sun booth.

The Sun booth also featured a variety of other offerings including Sun's new SCA-6000 cryptographic accelerator, Sun's identity management and compliance offerings, Sun's encrypting tape drive, and much more!

Back on stage, the man who needs no introduction... Whit Diffie was a speaker at the RSA Crytographers Panel. Whit shared the stage with crypto luminaries: Ronald Rivest, Adi Shamir, and Martin Hellman. The panel was moderated by Burt Kaliski.

Scott McNealy was one of the keynote speakers at RSA this year. Scott's talk was titled "Embracing Risk and Opportunity Through Security". The main thrust of the talk focused on the security and management challenges created by "best of breed" product selection leading to a virtual "Frankenstein" of non-standard, non-interoperable and non-integrated silos in the Data Center. Scott also talked about the security risks of monoculture on the desktop. One of the key themes throughout Scott's talk was Sun(SM) Systemic Security.

While talking about how Sun builds security into our porfolio of products and services, Scott was joined by James Gosling (Sun Fellow, the Father of Java) who talked about security design issues and challenges considered when designing the Java language.

Scott was also joined by Dr. Sheueling Chang (Sun Distinguished Engineer) who talked about her work on Elliptic Curve Cryptography and Sun's contributions to the open-source and standards efforts in that area.

There was so much happening at RSA, there is just not enough time to write about it all. I hope however that this can shed a little light into some of what Sun was doing at the conference!

Take care,

Glenn

Sun shines at the RSA Security Conference

Sunday Feb 12, 2006

From the press release. For more information on Sun Systemic Security, check out this posting. If you are going to be attending, be sure to check out the Sun booth and look me up! I will be in and around the conference Monday through Thursday and will be at the customer luncheon (Tuesday), if you would like to chat a bit.

MENLO PARK, Calif. -- Feb. 8, 2006 --Sun Microsystems, Inc. (NASDAQ: SUNW) executives Scott McNealy,
chairman and CEO, will deliver keynote presentations on Feb. 14 at the RSA Conference.  At the RSA
Conference in San Jose, Calif., Scott McNealy's keynote presentation will address the need for a
systemic security approach to both protect and enable opportunities the network provides.

WHEN and WHERE:
Scott McNealy's keynote presentation, "Tear Down the Walls -- Embrace Risk and Opportunity Through
Security", will take place Tuesday, Feb. 14 at 9:50 a.m. Pacific. The RSA Conference is being held
at the McEnery Convention Center in San Jose, Calif. from Feb. 13-17. Information about the 
conference can be found at http://2006.rsaconference.com/us/.

Additional Sun Activity at RSA Conference

Sun will host a customer luncheon with security experts Whitfield Diffie and Radia Perlman. Held
on Tuesday, Feb. 14, the lunch will provide an opportunity to learn more about Sun's systemic
approach to security. For more information and to register for the luncheon, please visit
http://mediadirect.com/rsa/email.html.

In the Sun booth, number 515, visitors can view demonstrations and discuss Sun's integrated
technology solutions. In addition to McNealy's keynote, several Sun executives will be 
participating in presentations and panels at the RSA Conference, lending expertise on topics
such as identity management, cryptography, data management and cross platform security.
Additional Sun presentations at RSA Conference include:

Tuesday, February 14

    * 10:35 a.m. Pacific - Whitfield Diffie, chief security officer
      The Cryptographers Panel
    * 11:45 a.m. Pacific -- James Hughes, Sun fellow
      Storage Security -- Use of Encryption to Protect Data at Rest
    * 2:00 p.m. Pacific - Yvonne Wilson, architect
      Implementing Federated Identity: What Products Do You Need?
    * 3:25 p.m. Pacific - Rafat Alvi, senior architect, CTO Office
      Trusted SOA: An End-to-End Trustworthy Services-Oriented Architecture
    * 4:30 p.m. Pacific -- Rags Srinivasan, CTO, Technology Evangelism
      Secure Cross-Talk Between Java and NET Platforms Using WS-Security 

Thursday, February 16

    * 2:00 p.m. Pacific -- Michelle Dennedy, chief privacy officer
      The Policy of Identity: Privacy Rules
    * 2:00 p.m. Pacific -- Nancy Hurley, director, Data Management Group Software
      Integration of Data Management ILM Systems
    * 3:25 p.m. Pacific -- Radia Perlman, distinguished engineer
      The Information Protection Wars 

Friday, February 17

    * 11:10 a.m. Pacific -- Hanumatha Neti, director, IT Security and Danny Smith, IT
      security specialist
      Security Metrics -- How Six Sigma is Helping Security in Large Enterprises 

Sun's CPO in Action!

Tuesday Apr 26, 2005

Check out Sun's Chief Privacy Officer, Michelle Dennedy, in action at the Security Leadership Council Online Conference and Expo on April 28th at 12 PM Eastern. The online conference runs for two days starting April 27th. Michelle is a speaker for the Leaders Roundtable session, COMPLIANCE IN THE COURTROOM: Security Practices Must Stand Up in Court and will be joined by Matt Curtin and Steven Brower.

The abstract for the session is:

The whole point of Regulations & Compliance is to turn certain practices and methodologies into legally binding mandates that are enforceable in a court of law. Compliance practices, while good in and of themselves, have to be implemented with a very strong legal focus to ensure full demonstrability in the eyes of the law, should the need to do so arise. This session will discuss cyber forensics & e-incident investigation, as well as the legal and technological ramifications of demonstrating compliance in the courtroom.

The site does require free registration and that you RSVP for the sessions that you wish to attend.

I'm not dead yet!

Friday Mar 25, 2005

It has been a very long time since my last post and for that I apologize. I have a good excuse honest! I was off for most of January with the birth of my second son. Following that, as you can imagine when I came back I needed to spend a good deal of time unburying myself from e-mail, v-mail and project deliverables. So, now that I am nearly unburied, I can safely proclaim that I am not dead yet!

I wanted to take a few moments to catch you up on a few things that I have been doing over the last two months or so. I will also preview a few things that will be coming up...

• Upon my return from leave, I presented at the RSA 2005 Security Conference held in San Francisco, CA. I had the honor of presenting on the topic of "Adaptive Security for Dynamic and Consolidated Environments" with Dave Walker and Peter Charpentier. It was quite a blast!
  
  
• I have continued my work as a member of the Unix Benchmark Team for the Center for Internet Security. Most of the recent work has been on the development and refinement of the Solaris 10 Security Benchmark. I have to say that in large part due to the teamwork displayed by that organization, the Solaris 10 Benchmark has come together very quickly and should be ready to release soon.
  
  
• I have also been working on converting some of my Solaris 10 Security blog articles to become Sun BluePrints Cookbooks. The first of such to be converted was the Automating Solaris 10 File Integrity Checks. It was published this month. It looks like at least one more will be published next month. Don't think that this is just a rehash of the blog however. We did actually go in and add new clarifications, examples, and other content! Also, I would like to acknowledge Darren Moffat and Scott Rotondo for their careful technical review of the article. Thank you very much.
  
  
• I have also been working on new material. Hopefully in either the April or May edition of the Sun BluePrints, you will see a new article titled something like Limiting Service Privileges in the Solaris 10 OS. The paper is done, it is just a matter of getting it through the necessary processes.
  
  
• I have been doing a lot of customer briefings on a variety of topics. Most of my briefings are deep dives into Solaris 10 security features and capabilities. In fact, just last week I presented to over 300 customers in both New York, NY and Somerset, NJ on those topics. It is absolutely incredible the things that you can accomplish with Solaris 10 in the security space.
  
  
• I have also been preparing a talk that I will be giving on April 4th at the EDUCAUSE Security Professional's Conference in Washington, DC. The subject of my talk will be "Systemically Secure Architectures". If anyone reading this will be there, please be sure to stop me in the hall and say 'Hi'!
  
  
• I have also been accepted to present at the New York State Cybersecurity Conference. The subject of my talk will be "Lessons from the Trenches: Solaris Security Best Practices". Hope to see you there!

Those are just a few of the things that I have been working on recently - that I can talk about of course. ;-) I hope to do another posting with yet another Solaris 10 Security tip in the very near future.

Also, before signing off, I have to send some kudos to the Solaris Security Toolkit team. Thanks to their hard work and determination, we can now proudly say that the Toolkit has become an official Sun product that is supported under the Solaris Support contract. Great work everyone!

Take care,
Glenn

OEM Business Forum with Sun Microsystems

Tuesday Oct 26, 2004

I have been away for a while due to vacation, customer visits and preparation for a few upcoming conferences. I will be back soon with more Solaris 10 Security information and tips. In the meantime, you will be able to catch me this week at the Sun OEM Business Forum being held in Rochester, NY. I will be presenting on the topic of designing and building secure OEM business solutions.

Others speaking at the event include:

• Colin Fowles, Director, Sun OEM Business Office
• Patrick Petschel, Director, Market Development, Nu Horizons Electronics Corp.
• Dr. Bob Sproul, VP & Fellow, Sun Labs of Massachusetts
• David Towne, Manager Sun Compliance Engineering
• Trey Talbott, Client Services Architect
• Gordie Klueber, Technical Architect, CTO Office, Sun Microsystems Labs

You can find more information on this event at:

http://www.nuhorizons.com/sun/

Special thanks to Nu Horizons Electronics, Inc. for sponsoring this event.

2004 Annual Fall Computer Security Symposium -- UNCC

Monday Oct 04, 2004

Security pros to share secrets at UNC Charlotte

As information technology has advanced, it has increasingly become the key to efficient business communication. The spread of such technologies - and the consequent reliance on it - requires a commitment to understand and minimize the threats that could compromise the facility, privacy and integrity of network data.

Leading researchers and practitioners in the fields of information security will delve into these issues and discuss solutions during the Fall Computer Security Symposium at The University of North Carolina at Charlotte. Secret Service agent Tony Marino and Sun Microsystems Chief Security Officer Whitfield Diffie are among those sharing their expertise during the October 13th program in the Cone Center's McKnight Hall. Attending cyber security professionals, including business continuity professionals, IT managers, software developers, systems administrators, information security professionals and policy makers will have the opportunity to question the experts. Registration begins at 8:30 a.m. with sessions running from 9 a.m. to 4:30 p.m.

Other top cyber security leaders to present will be:

• Kent Blossom, Director of Safety and Security Services, IBM
• Al Decker, Director, Security and Privacy Services, EDS
• Tom Fisher, CIO, Qualcomm
• Brad Ipema, Attorney, Wachovia Bank
• Kevin Kealy, Security Scientist, AT&T
• Wynn Mabry, Director, Homeland Security, Mecklenburg County
• Joan Myers, President, North Carolina Electronics and Information Technology Association
• Ed Paradise, Vice President and General Manager, Mobile Wireless Group, Cisco
• Rebecca Whitener, Director, Privacy Services, EDS
• James A. Whittaker, Associate Professor of Computer Science, Florida Institute of Technology

The symposium's sponsors include: UNC Charlotte's College of Information Technology and the university's Charlotte Research Institute, which draw on their extensive research and educational programs in computer security. The College of IT's program was recently redesignated by the U.S. National Security Agency as a Center of Academic Excellence in Information Assurance Education.

In addition to UNC Charlotte, sponsors include the North Carolina Electronics and Information Technology Association, the Information Technology Council of the Charlotte Chamber of Commerce and InfraGard.

For details & registration on this year's symposium, please visit http://www.coit.uncc.edu/symposium/2004/site/index.cfm.

---

To compliment the 2004 Cyber Security Symposium, on Wednesday, October 13th, there will also be a radio broadcast. "Charlotte Talks", a production of WFAE FM 90.7 will host Whitfield Diffie (Sun Microsystems Chief Security Officier), Rebecca Whitener (Director of Privacy for EDS) and Tony Marino (Special Agent for the Secret Service) to address certain questions regarding Identity Theft.

You can listen via the radio or the Internet at FM 90.7.

Common Criteria User's Forum

Monday Oct 04, 2004

The Common Criteria User's Forum will be held this week in Washington, DC. Specifically, the event will begin on Wednesday, October 6th and conculde on Thursday, October 7th. The cost of this event is $100 for non-government employees. For U.S. government employees, the fee is waived.

(From the web site), the goals of the forum are to:

• Recommend practical means to improve the Common Criteria processes and standards to make them a truly viable mechanism toward improving COTS product security for not only the Government, but for all customers.
• Present the opportunity for all parties to express their perspectives on the issues raised and to identify realistic means to resolve them.
• Provide an open forum to discuss and resolve the apparent differences between the views of commercial entities and NIAP.
• Develop a specific plan of action for the recommendations from the NIAP Review and the Task Force Report as well as any additional recommendations developed by the attendees.
• Begin to share Common Criteria experiences as a means of educating all stakeholders.

It looks like it will be both a fun and constructive event. I would encourage anyone interested in the future of the Common Criteria to stop by if you can. I will be moderating a session on day 2 entitled "Common Criteria Requirements for Commercial Users". This session will focus on what is needed to make the Common Critiera more relevant and appropriate for use in the private sector. It should be quite a discussion! If you are able to drop in, please say hello!

I will hopefully be getting back to my list of lesser known and/or publicized security enhancements to the Solaris 10 OS in the next day or so. Until then, thanks for reading and take care!

Russian-American Conference on Secure Computing

Monday Jul 12, 2004

On June 22, 2004, I had the distinct pleasure of travelling to Moscow to attend and present at the Russian-American Conference on Secure Computing. This conference was sponsored by Sun Microsystems and its Russian partner, Swemel and was held at the Marriott Royal Aurora hotel.

This event focused on a wide array of information security topics and issues facing Russian government and commercial organizations today. The conference was a day long and featured a general session as well as a technical and business track. The event was well attended by leaders of the Russian security council, State Duma, Federation Council, FSB, and many other government organizations and ministries.

My talk provided a technical overview of the Solaris Security Toolkit including its origins, design philosophy as well as practical usage. In addition, a number of other Sun speakers presented during the event including:

• John Gage, Chief Researcher and Vice President of Sun's Science Office
• Dr. Whitfield Diffie, Sun Fellow, VP and Chief Security Officer
• Jean-Paul Bergmans, GSO Country Manager, CIS
• Michael Pratt, SunPS Country Manager, CIS
• Evtim Batchev, SunPS Senior Security Architect, Portugal
• Benjamin Baer, Group Product Marketing Manager, Desktop Solutions

This conference was a continuation of the work completed earlier this year by both Sun and Swemel resulting in the certification of Solaris 9 by the Russian Federal Security Service opening the way for Solaris to be used for certain types of government and classified processing.

Technorati Tag: Sun Microsystems security