SAN FRANCISCO -- Joshua Corman is mad as hell, and he's not going to take it anymore.
That seemed to be the overarching theme of Corman's closing keynote Monday at Security B-Sides in San Francisco. Titled, Step Up… Or Step Out: Leveling Up, Corman spent much of the presentation detailing his frustrations with the information security community.
Our dependence on IT and software is growing faster than our ability to secure it.
director of security intelligence, Akamai Technologies
"Every year at RSA, I say I want to quit security," said Corman, director of security intelligence at Internet infrastructure vendor Akamai Technologies Inc. "I'm not an expert. I'm sick and tired of calling people experts."
What goose in particular got Corman's gander? For one, the constant focus on compliance standards, passing audits and the general skewing of priorities, which he feels pervades security.
"We're talking about PCI … who gives a [expletive] about PCI?" Corman said, "The only adversary that we're strong enough to fend off is the auditor."
Though he made it clear he has no personal agenda against the Payment Card Industry Data Security Standard (PCI DSS), he does advocate shifting the focus of the security community to what he feels are more pressing issues than securing credit card data, such as medical devices and critical infrastructure.
He went on to compare software to the steel and concrete that makes up the DNA Lounge, the venue for this year's B-Sides event. If an architect designs an instable building or doesn't take into account earthquakes in California, they no longer get to be an architect. In comparison, Corman feels there is a lack of professionalization in the security community, especially when the same problems that have plagued organizations for years are still problems now.
"Our dependence on IT and software is growing faster than our ability to secure it. … We've known about SQL injection for 13 years," Corman said, and yet he added there are new headlines constantly detailing new SQL injection incidents.
The growing connectivity of everyday devices to the Internet has only increased Corman's questioning of just how long enterprises and society at large can go down a path of constant insecurity.
"I am not comforted by the 'Internet of things'; I am discomforted by the 'Internet of things,'" Corman said. "If you have a toaster with software on it, you have a vulnerable toaster. If the toaster has Internet, you have a vulnerable, exposed toaster."
Corman also took time to lambaste the attendees of RSA Conference, including an anecdotal tale about someone at the show talking on camera about measuring the success of the security industry by the revenue growth of the security vendors. "How is that an accurate measure of security?" he asked.
Interestingly enough, his view of the attendees at Security B-Sides, an event series originally created to foster security industry discussions of an alternative nature, didn't seem much higher.
"I like to think people that are motivated to go to B-Sides are actually more motivated to improve things," he said, "but in reality, most just want an excuse for when things go bad."
Despite considerable negativity toward seemingly everyone in the world of security, Corman described his own goal as hoping to inspire attendees, even if it's just a few, to spend less time trying to break things and more time trying to make things better.
"I don't want to focus on the things that don't affect my personal life and my security; I want to focus on the things that do," Corman said. "So be the most badass medical device hacker and researcher, because no one else is doing it."
View all of our RSA 2013 Conference coverage.