You say you want an evolution…

… well, you know, we all want to change the world.

Josh Corman from ISS/IBM is ready for change. He lays out a call to action over on fudsec.com. Lots of good comments over there. Here is my contribution:

I agree wholeheartedly that we need to consider evolution and that our profession is reticent to do so. Compliance slows things down even more. We have plenty of opportunities for re-architecting security as the components are already there. Consider taking deperimeterization to its logical conclusion. Or integrating obfuscation, transformation, tracers, and tethers into an architecture.

I wrote a column for ISSA Journal a while back with some ideas for security evolution:

1. Conscientious software
2. Remote attestation
3. Microsecurity
4. Contextual mapping
5. Hyperdynamic processing

(see http://spiresecurity.com/?p=208 for more information).

The cool thing is that this is about evolution and not revolution – the roots of capabilities like trusted computing, for example, are well-defined and simply need to be applied to today’s architectures.

I think virtualization and cloud computing have really exposed internal computing components in ways that make evolution discussions very timely.