Securosis

Research

Oracle Critical Patch Update, July 2009

If you have read my overviews of Oracle database patches long enough, you probably are aware of my bias against the CVSS scoring system. It’s a yardstick to measure the relative risk of the vulnerability, but it’s a generic measure, and a confusing one at that. You have to start somewhere, but it’s just a single indicator, and you do need to take the time to understand how the threats apply (or don’t) to your environment. In cases where I have had complete understanding of the nature of a database threat, and felt that the urgency was great enough to disrupt patching cycles to rush the fix into production, CVSS has only jibed with my opinion around 60% of the time. This is because access conditions typically push the score down, and most developers have pre-conceived notions about how a vulnerability would be exploited. They fail to understand how attackers turn all of your assumptions upside down, and are far more creative in finding avenues to exploit than developers anticipate. CVSS scores reflect this overconfidence. Oracle announced the July 2009 “Critical Patch Update Advisory” today. There are three fairly serious database security fixes, and two more for serious issues for secure backup. The problem with this advisory (for me, anyway) is that none of my contacts know the specifics behind CVE-2009-1020, CVE-2009-1019 or CVE-2009-1963. Further, NIST, CERT, and Mitre have not published any details at this time. The best information I have seen in Eric Maurice’s blog post, but it’s little more than the security advisory itself. Most of us are in the dark on these, so meaningful analysis is really not possible at this time. Still, remotely exploitable vulnerabilities that bypass authentication are very high on my list of things to patch immediately. And compromise of the TNS service in the foundation layer, which two of the three database vulnerabilities appear to be, provides an attacker both a method of probing for available databases and also exploitation of peer database trust relationships. I hate to make the recommendation without a more complete understanding of the attack vectors, but I have to recommend that you patch now. Share:

Share:
Read Post

Technology vs. Practicality

I am kind of a car nut. Have been since I was little when my dad took me to my first auto race at the age of four (It was at Laguna Seca, a Can-Am race. Amazing!). I tend to get emotionally attached to my vehicles. I buy them based upon how they perform, how they look, and how they drive. I am fascinated by the technology of everything from tires to turbos. I am a tinkerer, and I do weird things like change bushings that don’t need to be changed, rebuild a perfectly good motor or tweak engine management computer settings just because I can make them better. I have heavily modified every vehicle I have ever owned except the current one. I acknowledge it’s not rational, but I like cars, and this has been a hobby now for many years. My wife is the opposite. She drives a truck. For her, it’s a tool she uses to get her job done. Like a drill press or a skill saw, it’s just a mechanical device on a depreciation curve. Any minute of attention it requires above filling the tank with gasoline is too many. It’s stock except for the simple modifications I made to it, and is fabulously maintained, both facts she is willfully unaware of. Don’t get me wrong, she really likes her truck because it’s comfortable, with good air and plenty of power, but that’s it. After all, it’s just a vehicle. As a CTO, I was very much in the former camp when it came to security and technology. Love technology and I get very excited about the possibilities of how we might use new products, and the philosophical advantages new developments may bring. It’s common, and I think that is why so many CTOs become evangelists. But things are different as an analyst. I have been working with Rich for a little over a year now and it dawned on me how much my opinion on technology has changed, and how differently I now approach discussing technology with others. We had a conference call with an email security vendor a couple weeks ago, and they have some really cool new technology that I think will make their products better. But I kept my mouth shut about how cool I think it is because, as an analyst, that’s not really the point. I kept my mouth shut because most of their customers are not going to care. They are not going to care because they don’t want to spend a minute more considering email security and anti-spam than they have to. They want to set policies and forget about it. They want to spend a couple hours a month remediating missing email, or investigating complaints of misuse, but that’s it. It’s a tool used to get their job done and they completely lack any emotional attachment their vendor might have. Cool technology is irrelevant. It has been one of my challenges in this role to subjugate enthusiasm to practicality, and what is possible for just what is needed. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.