Monday, June 23, 2014

What’s the best tool for the job?

This year I’ve been thinking about fundamentals a lot.  That includes  patch management, and in preparing a presentation on the topic I pondered the question:

“What is the best patch management tool?”

I thought back to my favorite patch and systems management tools from past jobs when I ran mixed (but mostly Windows) networks for small businesses.  That reminded me of a lesson about tools I learned many years ago.

What is the best [insert category here]?  I believe there are two answers:

The one you have

The one you know

Note that these may not necessarily True, but in the real world “truth” can be pretty fluid.  There certainly may be better [whatever category] tools than the ones you have now, but you can’t make a difference with them tomorrow- and “a little better tomorrow” is our goal.  The tools available to you, and which you know how to use, those are the ones you can make gains with immediately.  If you really are pushing the limits of the tools you have available, consider what works and what doesn’t work with the old tools- then look for better tools and processes, making sure you don’t lose anything you currently rely on in the transition (or at least know what trade-offs you are making).

Get the most out of what you have and you’ll make progress and be better prepared for when the elusive Budget Fairy appears with the Magic Resources Dust- you’ll be better able to make the case for new tools if you can show that you are pushing the existing stuff to its limits; as we all know, the Budget Fairy is hard to find, and harder to get money from.

The bottom line is that we can’t let our existing tools artificially limit us.  I’ve heard variations on “I can’t do X without a new tool” since my days as a mechanic- and while it is sometimes true, it is sometimes just an excuse for doing nothing.



Tuesday, June 17, 2014

Is OWASP broken?

That’s a silly question.  I wasn’t going to comment on the current struggles of the Board of Directors for fear of adding to the Pointless InfoSec Drama, but I need to say a few things about it.  I am not an OWASP insider, but I do support their mission.

OWASP has done a lot of great things, and continues to do so today.  As I said, I’m not an insider, but there appear to be some struggles at the global Board level and possibly organizationally at the national and international level.  And I don’t really care- I hope it gets sorted out soon, but the power of OWASP (and a myriad of other organizations, not just in InfoSec and tech) is largely in the local and regional chapters and events, and in the OWASP projects.

If you believe in OWASP (or any other organization struggling with high-level issues), I encourage you to focus your efforts locally, that’s almost always where you can make the most difference.  In the case of OWASP, there are also the numerous projects- you don’t need to be local to work on them.

As Tip O’Neill frequently observed, “All politics is local”.  Please don’t waste time on drama, focus locally and keep up the good work.