Welcome to Collaborative Strategy Guild Where insights are transformed into actions at the intersection of collaboration, information management, security, and business strategy.
|
I have a post over at the Verizon Business blog (Considering Vulnerability Disclosure in the Realm of SCADA Systems) about how vulnerability discovery and disclosure impacts risk. Although it provides a basic risk model that can be applied to any situation, it focuses on the recent SCADA disclosures by Digital Bond and Rapid7. These are some of the smartest people in our field and yet they insist (by implication) on increasing risk to make a point. I sincerely hope they reconsider their actions in the future, before any serious damage is done.
Continue reading: Vulnerability Research in the age of Embedded Systems (SCADA)
The cool thing about Mary Ann Davidson is she doesn’t mince her words; you know where she stands on every issue and she is willing to own it in the security world. So when I started hearing some buzz about her latest blog post – Those Who Can’t Do, Audit – I expected some sizzle. And got it.
It turns out the target this time is “SASO,” a company that must be making headway in driving legislation towards third party code reviews.
“ I’ve opined in previous blogs on the importance of defining what problem you want to solve, specifying what “it” is that you want to legislate, understanding costs – especially those pertaining to unintended consequences – and so on.”
->… Continue reading: Evaluating the Oracle Security Manifesto
iang over at Financial Cryptography has a thought-provoking discussion of liability (ht @alexhutton) and its corresponding risks. I think I added a comment (but can’t be sure) that said this:
Culture and consciousness is all a distraction and very malleable. What really matters at the end of the day is the relative number of vulns in the software.
Also, worth noting that “secure software” is a derivative goal of less risk – that is, fewer incidents. We often opt for the former in the face of the latter, which is counterproductive.
Liability is a horrible idea. Here are some reasons why:
- It’s unenforceable.
- It will destroy innovation.
- It will destroy open-source.
- It will create an Xbox Internet.
- It will double prices.
- It will force lock-in.
- And, finally —… Continue reading: Liability and Secure Software
It’s been eight years since the “great monoculture debate” hit the press with a storm. Bruce Schneier and Marcus Ranum take on the topic in their he says/she says column for searchsecurity, though it doesn’t appear that Schneier actually believes the story any more… for good reason.
At the time, I wrote a rebuttal in Information Security Magazine. I can’t find it at the original online link, so have copied the version I have below (this might differ slightly from the published version). Let me know what you think.
ALL TOGETHER NOW
I’m sick and tired of having to be a farmer, car manufacturer, avionics expert and biologist to do my job. This whole analogy business has gone way to far…. Continue reading: Monoculture Revisited
Michael Janke at Last In, First Out is rightly concerned about the respective run rates of the vulnerability creation process and our ability to fix them individually. He asks the question “Are we creating new vulnerabilities faster than we are fixing old ones?” after providing a list of publicly disclosed vulnerabilities from various time periods.
I am not clear whether this list of disclosed vulnerabilities is intended to represent vulnerabilities created or fixed (it is neither), but it certainly does its job in highlighting the problem. It is worth first understanding that vulnerabilities can exist in various states after creation – undiscovered/discovered; undisclosed/disclosed (publicly); and unfixed/fixed, giving us 8 different possible state combinations (though 2 are… Continue reading: Vulnerability Creation vs. Discovery vs. Fix
|
|
