Tech risk professionals love to have debates about platform security, though it used to be Windows vs. Linux (really closed vs. open source) which morphed to Windows vs. Apple and is now Android vs. iOS. In any case, there are…
Vulnerability Management
Vulnerability Management
The 7-day Itch: Ups and Downs of Google’s New Disclosure Policy
by Pete Lindstrom • • Comments Off
Recently, members of the security team at Google made an important announcement about “real-world exploitation of publicly unknown vulnerabilities.” While it was done on the Google Online Security blog, all indications are that this is an official Google policy statement.…
Cognitive Dissonance or Spite?
by Pete Lindstrom • • Comments Off
I happened to see a tweet the other day that said: “If you want a bug fixed quickly, sell it on the Russian black market. It’ll be so heavily abused that the vendor will patch out of cycle.” Now, it…
Vulnerability Research in the age of Embedded Systems (SCADA)
by Pete Lindstrom • • Comments Off
I have a post over at the Verizon Business blog (Considering Vulnerability Disclosure in the Realm of SCADA Systems) about how vulnerability discovery and disclosure impacts risk. Although it provides a basic risk model that can be applied to any situation,…
Evaluating the Oracle Security Manifesto
by Pete Lindstrom • • Comments Off
The cool thing about Mary Ann Davidson is she doesn’t mince her words; you know where she stands on every issue and she is willing to own it in the security world. So when I started hearing some buzz about…
Liability and Secure Software
by Pete Lindstrom • • Comments Off
iang over at Financial Cryptography has a thought-provoking discussion of liability (ht @alexhutton) and its corresponding risks. I think I added a comment (but can’t be sure) that said this: Culture and consciousness is all a distraction and very malleable.…
Monoculture Revisited
by Pete Lindstrom • • Comments Off
It’s been eight years since the “great monoculture debate” hit the press with a storm. Bruce Schneier and Marcus Ranum take on the topic in their he says/she says column for searchsecurity, though it doesn’t appear that Schneier actually believes…
Vulnerability Creation vs. Discovery vs. Fix
by Pete Lindstrom • • Comments Off
Michael Janke at Last In, First Out is rightly concerned about the respective run rates of the vulnerability creation process and our ability to fix them individually. He asks the question “Are we creating new vulnerabilities faster than we are…