Denim Group has been acquired by Coalfire. Learn More>>

Physical Security and Application Security – Where the Two Worlds Collide

By John B. Dickson, CISSP

I recently had the opportunity to attend the ASIS International Annual Seminar and Exhibits in Orlando, Florida. ASIS is the largest physical security conference in the world and arguably one of the oldest security trade groups in the US (they have been around since 1955). With 20,000+ in attendance, it’s hard to argue that this wasn’t one of the premier conferences in the security industry.  I’m probably more of an information security guy than a physical security person, whose limited exposure to the physical security world has been through the CISSP certification (one block of instruction) and during the infrequent red team exercises I’ve participated in during my career where breaking and entering a client’s office complex was part of a contracted project.

SoldierWhat brought me to the ASIS conference was the ISC2, the International Information Systems Security Certification Consortium, and its Security Congress. The Security Congress tracks ran concurrently with the ASIS conference, attracting nearly 1,000 attendees from the traditional information security field. ISC2 had separate speaker tracks that addressed application security, cloud security and social networking. My session had about 40 attendees – a little light but a good group. The interaction was solid and the questions insightful. In short, the speaker session might as well have been at any mainstream information security conference.

Where I experienced culture shock the most was on the ASIS expo floor. For those that argue that the physical security and information security fields are converging, my first ASIS led me to believe otherwise. For starters, more than half of the exhibitors wore dark suits, as did many of the attendees (and, yes, I did see a fair share of three-piece suits). This was in stark comparison to RSA, where most of the booth workers look liked they just hopped off the 18th hole, albeit with matching company golf shirts.

There was a formal air to the expo, including several dark panel wood booths that looked more like a law office library room than a trade show expo stand. Like the info security world, 85-90% of the attendees were men, but the average age at ASIS felt 10-15 years older than RSA, by comparison (I did not quantify that!)

Barbed wireThe biggest difference between ASIS and RSA/Blackhat, etc., were the vendors. Very, very little overlap existed between those at ASIS and the information security conferences I’ve attended recently, and I’ve spoken at and attended a bunch. The big names were 3M, Ingersoll Rand, Honeywell, and not RSA, Symantec, IBM and the usual suspects from the infosec product and service world.


Having said that, there were some very cool things I saw at ASIS that I would never see at a mainstream information security conference. Barbed wire, for example. Seeing a barbed wire display actually jolted me into full awareness that I was not at an infosec conference. The company selling remote-controlled helicopters for SWAT surveillance tickling the geeky side of me. Seeing the fully-Kevlared out SWAT booth worker could not have been cooler too. And who could knock the executive security folks and their booth video showing how they whisk high-profile executives out of harm’s way. I want that.

HelicoptersMy head was totally on a swivel as I walked through the acres of trade show booths. I guess it makes sense, but there were a ton of security badge vendors hawking their wares too. Not proximity badge guys, just the guys that actually manufacture the plastic badges and lanyards.  

We get pretty wrapped up in the infosec and appsec world, so ASIS was a good reminder that the physical security world is a robust industry that is as highly valued, if not more valued, than our own. There appeared to be some heavyweight buyers on the tradeshow floor, if the elaborate booths were any indication.

I’d like to see more events where the two worlds converge, but candidly, after ASIS it struck me how far they are in fact apart. Different people, different vendors, and different concerns. I know physical security guys will jump all over this, but my vote is that convergence is still more an aspiration than a reality, at least as evidenced by ASIS 2011.

Contact us for more information about software security at your organization.




Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *