FIRST - Improving Security Together 18th Annual FIRST Conference - June 2006 - Baltimore, Maryland

If You Donīt Know What You Donīt Know

Platinum Sponsor


Silver Sponsor


Local Host

CERT Coordination Center

Supporting Sponsors






Korea CertCC

Conference Schedule

18th Annual FIRST Conference

Wednesday – June 28th, 12:00

IT Security has per definition always been a re-active business. It is like having a castle, protecting the crown jewels with locked gates (firewalls) intrusion detection (the watch) and intrusion prevention methods (hot oil and peck, arrows, stones, dead horses etc) Preventing anyone unauthorized to attack and enter.

However, major changes over the last couple of years in requirements of businesses to keep up with the competition and markets demanded a different approach to Web based services, resulting in openness of systems to visitors, customers, and our own teleworkers. Its like having to maintain a 24 hrs market, open to everyone, in the middle of your castle, with stalls of next generation technology, enticing visitors to buy. How do you strip-search 500K unique visitors to your site each month?

Emphasis of demands on today’s web designers and programmers is more and more on becoming open and accessible, visually attractive and smart functions.

The ”New Breed” of web designers and programmers of today is artistic, they learned all on market-focused design, with educational institutes jumping to the demand, delivering new breed courses and degrees. Today’s programmers program “On the Fly”, constantly needing to meet requirements of marketing and sales departments. The demand on them is huge, after all, static websites are out, and dynamic content is in. The “can you do this, can you do that, we need it live this Monday” puts enormous pressure on them to deliver. Deliver quickly.

To the aid of this new breed is an unbelievable enormous pool of programs, scripts, and tools, available on the Internet, and either free or low cost. Re-Use has gained another meaning – what is easier than including code snippets and scripts to have the new Web Application deliver what the Marketing and Sales people require. Today’s web programmers are artists, not the logical, structured breed of developers we used to have working to develop accounting and warehouse management applications. Artists who may claim paintings of others as their own. If you are an artist, would you admit copying someone elses work?

Also the Teleworkers of today, become one of the main areas of productivity improvement for organizations – after all the physically traveling to and from work is in most cities in the world becoming more and more a burden, or virtually impossible with the huge traffic jams – are not IT persons. They have the same pressure of having to deliver. And their kids may have secretly LimeWire or other sharing software installed on their parents notebook, downloading files, video, music and the rest, for their own satisfaction. They are no IT Security Experts.

All these groups together just do what they can do to make ends meet, to deliver value to their employer, to not have to work through the weekend, to catch up with their workload. And here lies the danger. If You Don’t Know what you Don’t Know, it does not exist. You don’t know even enough to be able to ask the question.

If IT Security staff does not know what it doesn’t know, the Question will never be asked. The Answer to this “Question We Do Not Know To Ask” can mean the difference between an organization’s success, or that of corporate disaster. The difference between either an IT Security Job well done, or an unexpected career change.

Authors & presenters

  • NZArjen de Landgraaf  Presenter (Co-Logic Security, Ltd, NZ)

Conference Schedule