Announcing: The Month of No Bugs (MONB)!

Wednesday, September 1, 2010

Announcing: The Month of No Bugs (MONB)!

It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)! This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to complain that vendors should give me the attention I deserve, NOT to pound my chest and [...]
Continue Reading...
Disclosing the Elephant in the Room of the Disclosure Debate

Friday, July 23, 2010

Disclosing the Elephant in the Room of the Disclosure Debate

There has been a lot of discussion lately about vulnerability disclosure, with Google and Microsoft respectively weighing in with their latest opinions on the topic. There is really nothing new here, as evidenced by the Google folks referencing a 9-year-old Bruce Schneier essay on the topic. I have written extensively on the topic and the related [...]
Continue Reading...
There is no such thing as *Real* Value

Wednesday, May 26, 2010

There is no such thing as *Real* Value

Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback. Most importantly, I would like to address this point: “I consider that an implied or assumed value, which may bear no correlation to the real value” Rich’s reference to something called a real value [...]
Continue Reading...
Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Thursday, April 29, 2010

Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system - demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…) At this stage of [...]
Continue Reading...
Rudeness, risk and vulnerability disclosure

Monday, April 26, 2010

Rudeness, risk and vulnerability disclosure

Robert Graham at Errata Security has yet another thoughtful post - this one on the “rudeness” of vulnerability disclosure. His key point: “However, vuln disclosure isn’t friendly. It is an inherently rude act.” It is an interesting post, primarily focused on the psychological relationship between bugfinders and vendors, but the thing I find the most puzzling is [...]
Continue Reading...
Security Budget Planning in Three Easy Steps

Wednesday, March 10, 2010

Security Budget Planning in Three Easy Steps

Gunnar Peterson has a great post on security budgeting. His essential point is to apply a “flat tax” to all IT spending. The value is in its simplicity. We can get a lot more complex (and often do), but this is an excellent starting point. Don’t forget the business and don’t forget we are “optimizing” our [...]
Continue Reading...
prev next
Posted on November 18 2009 Read more...

Microsoft’s Security Intelligence Report - Day 2

More off-the-cuff ramblings while reading Microsoft's Security Intelligence Report: will I actually get through this report? life intervenes... page 68: interesting data on parent and child malware... but I don't know what to do with it. page 71: "An infected computer can belong to several different botnets, which overlap to varying degrees." It appears that infected systems sleep ...
Posted on November 18 2009 Read more...

Somebody Pinch Me

Saw this headline on the InfoSecurity News mailing list today: "Firms spend only up to 20% of their budget on IT security" This is one of the more bizarre statements I've seen in a long time. It refers to one person's notion of security spending in the United Arab Emirates. The article interviews representatives from Symantec, McAfee, ...
Posted on November 16 2009 Read more...

Top Ten Web Security Risks

Here is a list of the top ten Web security risks: Hidden Manipulation Cookie Poisoning Backdoor and Debug Options Buffer Overflow Stealth Commanding 3rd Party Misconfiguration Known Vulnerabilities Parameter Tampering Cross Site Scripting Forceful Browsing Looks like a pretty timely list, doesn't it? Actually, I pulled this list out of my archive. I got it from Sanctum when they called it "10 Types of Web Perversion" ...
Posted on November 6 2009 Read more...

Confirmation Bias at work?

Evan Schuman has an intriguing blog post on the McAfee blog about whether the reduced number of data breach reports at DataLossDB.com are indicative of fewer actual data breaches. His answer is unequivocally "No." His reasoning is as follows: Media outlets are less interested in data breaches and therefore not publicizing them as frequently. Retailers, banks, and ...
Posted on November 3 2009 Read more...

Ramblings while reading Microsoft’s Security Intelligence Report

I just downloaded Microsoft's Security Intelligence Report. Given my predisposition toward good stats, I am looking forward to reading it. Herewith is a running chronology of my thoughts as I read it: opening pages - 25 authors! even more contributors! wow - it better be worth it... 232 pages! page 8: "the most significant trend in 1H09 was ...
Posted on October 23 2009 Read more...

Lindstrom’s Razor is not about security spending

After a few conversations, and having seen (part of) Russell Cameron Thomas' post on the topic, I am beginning to realize that people are making a common mistake about Lindstrom's Razor, which states: The digital assets in question must be worth at least as much as you pay for them. It is important to recognize that these ...
Posted on October 22 2009 Read more...

What is “Lindstrom’s Razor”?

Yesterday, Andrew Jaquith from Forrester blogged about digital asset value, in response to Russell Cameron Thomas' post on the same topic, which was in response to a Jeremiah Grossman tweet*. Andrew's post mentioned a cost-based approach I use for valuation that he aptly named "Lindstrom's Razor" (has a nice ring to it, doesn't it? ;-)). ...
Posted on October 20 2009 Read more...

You say you want an evolution…

... well, you know, we all want to change the world. Josh Corman from ISS/IBM is ready for change. He lays out a call to action over on fudsec.com. Lots of good comments over there. Here is my contribution: I agree wholeheartedly that we need to consider evolution and that our profession is reticent to do so. ...
Page 4 of 102« First...«23456»...Last »