Where-o-Where-o-Where-Is-Thomas-Ptacek?

Thomas Ptacek | April 18th, 2007 | Filed Under: Navel Gazing, Uncategorized

It’s only a matter of days before my son and daughter start asking the same question. The answer: finishing up Matasano’s first product (!), and working with the team on some upcoming announcements. Exciting stuff! Can’t sleep! Clown’ll eat me!

In the meantime, you can listen to me on Rich Mogull’s Gartner podcast about the value of vulnerability research to enterprises. If you don’t relish the idea of hearing 11 minutes of my nasal, cell-phone-attenuated voice in its full 96bps 22khz glory, here’s what we talked about:

• That vendors who ship products would be way better off getting those products assessed before they ship them, rather than assessed by their customers or competitors in the field. Motherhood, meet Apple Pie.

• That regardless of the ego-tripping that IDA Pro, BinNavi, and firewire/PCI kernel debugging promote (mea maxima culpa), web applications are the future of development and web app security is the future of security.

• That for God’s sake if you’ve got your own web apps you need to get them tested; it’s a phone call and a 2-3 week mostly-unattended service engagement to get a third party to do that for you.

• That nobody coming out of school is automatically an expert in secure coding; CMU and UCDavis are great, but unitialized variable attacks came from some guy in Europe at some talk in Canada, not from a course curriculum.

• That whatever you spend now on unproven intrusion prevention and antivirus, you should be spending N times more on cultivating an internal vulnerability research team.

No surprises.

I O U 3 more DNS security posts, 2 more Python debugging and runtime code generation posts, and like, 48748974 other things I’ve got queued up, and promise to get them out soon. Thanks for staying tuned!