I'm in Salt Lake City right now, sitting in the Wasatch Brewing Co. bar drinking a Polygamy Porter. You can't have just one. ;-)
I'm on the way to Hawaii for a few days of vacation without the crazy pregnant one. OK, so she's not crazy, but pregnancy does strange things to a woman. And she was the one who decided not to join me in Hawaii...
I'm really on the way to Hawaii for the Hike for Discovery fall season. We have a small team going to Kaua'i this week for Saturday's hikes around the island. I'm meeting Jerry (HFD team coach) and his wife this afternoon in Kaua'i for a few days of fun before the big HFD weekend. I'll be hiking the Kukui trail down into Waimea Canyon, more details on that soon.
I've been on the road a lot lately for both work and pleasure which always results in some humorous experiences. The best one of note recently was in NJ. Jeremy and I were staying in Harrison, NJ for the week doing consulting for one of our clients in the Jersey City area. Unfortunately all of the hotels in and around Jersey City were booked, so we were scraping the bottom of the barrel for a decent hotel. The Hampton Inn in Harrison, NJ qualifies as the bottom of the barrel due to its location and the fact that its inconvenient to everything. So we took the hotel shuttle a lot to get to the train station, dinner, etc. On our last night in NJ, we called the shuttle to pick us up from dinner in the Ironbound district in Newark. After being picked up, the driver picked up a guy in a suit from Penn Station. Let the fun begin.
Jeremy engaged the guy in a conversation. Lo and behold, he's a security consultant! (Gee, I sure am glad *I* don't have to wear a suit!) So we start chatting and ask him about his work. While I don't remember the exact conversation, it went something like this:
Us: What kind of work do you do?
Suit: Security consulting. Penetration testing, SDLC (software development lifecycle) work, software security, policy work, etc.
Us: Interesting, we also do SDLC work... Are you a developer?
Suit: Oh no. Accountant.
(At this point, Jeremy and I shoot each other looks of WTF??)
Us: So, uh, when you say software security, do do do code reviews? Threat modeling?
Suit: Threat modeling? No, I don't get down to the packet layer.
Us: What about your SDLC work?
Suit: Oh, well we tell people how to push code to production environments...
The conversation went on like that for a few more minutes before we got back to the hotel. When we were in the clear, Jeremy and I had a good laugh at Mr. Suit and his "packet layer" comments. Threat modeling is a method of analyzing a software system as an attacker thinks about it, outlining his goals and enumerating the manner in which he can achieve his goals. Specifically, we look for threats against the system, mitigating strategies, and vulnerabilities exist where threats don't have mitigating strategies in place. I've never had to "get down to the packet layer" when dealing with threat modeling on most software systems, so I'm not sure what he thinks we were talking about. (Yes, I can see where this would be useful if threat modeling a network protocol, but most of my TM work is at a higher level using standard network protocols like HTTP, for instance.)
I'm not sure who you work for, Mr. Suit, but this is why accountants don't make good software security consultants. If you don't understand developing code, and you don't understand working in a development environment, its a pretty good bet that you're not going to be too successful at doing SDLC consulting... unless you're only writing policy about who gets to push code to production...
Buyer beware... not all consultants and consulting firms are equally capable of doing software security work. Especially if their consultants are accountants!
