Today, Verizon released its Verizon 2010 Payment Card Industry Compliance Report which I had the pleasure of working on. One of the most interesting things in my opinion is the PCI 80/20 Rule. The broad results of the report show…
Highlights
Announcing: The Month of No Bugs (MONB)!
by Pete Lindstrom • • Comments Off
It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)! This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to…
Disclosing the Elephant in the Room of the Disclosure Debate
by Pete Lindstrom • • Comments Off
There has been a lot of discussion lately about vulnerability disclosure, with Google and Microsoft respectively weighing in with their latest opinions on the topic. There is really nothing new here, as evidenced by the Google folks referencing a 9-year-old…
There is no such thing as *Real* Value
by Pete Lindstrom • • Comments Off
Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback. Most importantly, I would like to address this point: “I consider that an implied or assumed value,…
Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?
by Pete Lindstrom • • Comments Off
Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system – demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a…
Can you have “more secure software” and still have greater risk?
by Pete Lindstrom • • Comments Off
Answer: Yes. Here’s how: The software element of the risk equation only accounts for vulnerabilities, it doesn’t address threat. So we can reduce our vulnerability level and therefore have “more secure software” in the midst of increased risk. This manifests…
Rudeness, risk and vulnerability disclosure
by Pete Lindstrom • • 1 Comment
Robert Graham at Errata Security has yet another thoughtful post – this one on the “rudeness” of vulnerability disclosure. His key point: “However, vuln disclosure isn’t friendly. It is an inherently rude act.” It is an interesting post, primarily focused…
Vswitch isolation and segmentation – an Illusion
by Pete Lindstrom • • Comments Off
Brad Hedlund points out a common misunderstanding in the virtualization networking world – you can segment and isolate all you want, but it is simply a logical construct. From a risk perspective, I equate this type of virtual segmentation (for…