Welcome to Collaborative Strategy Guild

Where insights are transformed into actions at the intersection of collaboration, information management, security, and business strategy.

Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

By

Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system – demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…)

At this stage of the game, this might be an interesting approach to disclosure (I guess this is sort of like the video approach that Dave Maynor did a few years back…). I am not completely sold, since I am not clear on how much this approach would lower the attacker’s cost.

This contrasts with Tavis Ormandy’s disclosure of the Java Web Start vulnerability which was simply a debacle of… Continue reading: Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

April 29th, 2010 | Category: Economics and Risk, Highlights, Random, Vulnerability Management | Leave a comment

How Much is Your E-mail Worth?

By

CSG has published another report!

How Much is Your E-mail Worth?: Quantifying the Total Value Investment (TVI) of SaaS E-mail to Small and Medium Businesses

CSG members Pete Lindstrom and Karen Hobert conducted and authored this study on quantifying the Total Value Assessment of SaaS E-mail. A worthwhile read if you’re trying to figure out how much your e-mail options will really cost you.

You can download the white paper here or go to our Research page.

Continue reading: How Much is Your E-mail Worth?

April 28th, 2010 | Category: cost of e-mail, E-mail, productivity, SaaS e-mail, value of e-mail | Leave a comment

How Much is Your E-mail Worth?: Quantifying the Total Value Investment (TVI) of SaaS E-mail to Small and Medium Businesses

By

We’ve published another report!

How Much is Your E-mail Worth?: Quantifying the Total Value Investment (TVI) of SaaS E-mail to Small and Medium Businesses

CSG members Pete Lindstrom and Karen Hobert conducted and authored this study on quantifying the Total Value Assessment of SaaS E-mail. A worthwhile read if you’re trying to figure out how much your e-mail options will really cost you. You can download the white paper here or go to our Research page. Continue reading: How Much is Your E-mail Worth?: Quantifying the Total Value Investment (TVI) of SaaS E-mail to Small and Medium Businesses

April 28th, 2010 | Tags: , , , , , | Category: Cloud Computing, E-mail, SaaS | One comment

Can you have “more secure software” and still have greater risk?

By

Answer: Yes.

Here’s how: The software element of the risk equation only accounts for vulnerabilities, it doesn’t address threat. So we can reduce our vulnerability level and therefore have “more secure software” in the midst of increased risk. This manifests itself in a higher number of incidents, which is the outcome of the threat and vulnerability components of risk.

Continue reading: Can you have “more secure software” and still have greater risk?

April 27th, 2010 | Category: Economics and Risk, Highlights | Leave a comment

Rudeness, risk and vulnerability disclosure

By

Robert Graham at Errata Security has yet another thoughtful post – this one on the “rudeness” of vulnerability disclosure. His key point:

“However, vuln disclosure isn’t friendly. It is an inherently rude act.”

It is an interesting post, primarily focused on the psychological relationship between bugfinders and vendors, but the thing I find the most puzzling is that final phrase in the final sentence: “unfettered security research serves the greater good.”

I guess my big question is how Rob defines “the greater good.” I infer from his post that he thinks in terms of software defects. That is, the existing vulnerability discovery and disclosure cycle has led to fewer vulnerabilities than there would have been had this process not existed. This seems… Continue reading: Rudeness, risk and vulnerability disclosure

April 26th, 2010 | Category: Economics and Risk, Highlights, Metrics, Random | Leave a comment
 
  Older Entries »