I think I need to stop feeling guilty for trying to run a business.

Yesterday we announced that we’re trying to put together a list of end users we can run the occasional short survey past. I actually felt guilty that we will derive some business benefit from it, even though we give away a ton of research and advice for free, and the goal of the surveys isn’t to support marketing, but primary research.

I’ve been doing this job too long when I don’t even trust myself anymore, and rip apart my own posts to figure out what the angle is. Jeez – it isn’t like I felt guilty about getting paid to work on an ambulance.

It is weird to try to build a business where you maintain objectivity while trying to give as much away for free as possible. I think we’re doing a good job of managing vendor sponsorship, thanks to our Totally Transparent Research process, which allows us to release most white papers for free, without any signup or paywall. We’ve had to turn down a fair few projects to stick with our process, but there are plenty of vendors happy to support good research they can use to help sell their products, without having to bias or control the content. We’re walking a strange line between the traditional analyst model, media sponsorship, research department, and… well, whatever else it is we’re doing. Especially once we finish up and release our paid products.

Anyway, I should probably get over it and stop over-thinking things. That’s what Rothman keeps telling me, not that I trust him either.

Back to that user panel – we’d like to run the occasional (1-2 times per quarter) short (less than 10 minutes) survey to help feed our research, and as part of supporting the OWASP survey program. We will release all the results for free, and we won’t be selling this list or anything. If you are interested, please email us at survey@securosis.com. End users only (for now) please – we do plan on expanding to vendors later. If you are at a vendor and are responsible for internal security, that’s also good. All results will be kept absolutely anonymous.

We’re trying to give back and give away as much as we can, and I have decided I don’t need to feel guilty for asking for a little of your time in exchange.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences
Adrian’s Dark Reading post on Dealing with Weak Passwords.
Rich’s TidBITS article on iPads for the enterprise
Rich’s Endpoint DLP article took the cover of Information Security magazine
Rich quoted by cnet on the Mac vs. PC security debate
At TidBITS, Pepper points out that the dead are staging a comeback in the ebook market. Zombie Authors Threaten Fiction Ebook Market, from the Grave! – Brains, anyone?
Favorite Securosis Posts
Rich: Adrian’s post on Agile and SDL. Funny timing on this one, with Microsoft starting to release some new information on it.
Adrian: Mike’s Monitor Everything. I disagree with some of it, but there is so much good information that it’s my fave this week.
David Mortman: Analysis of Trustwave’s 2010 Breach Report More yummy yummy data
Mike: What do DLP and condoms have in common? Any time you can mention condoms on a corporate blog, it’s a win. ‘nuf said.
Meier: Comments on Microsoft Simplified SDL I was hoping Adrian would do a rundown when I saw this earlier and I enjoyed how he broke it out.
Other Securosis Posts
The NSA Isn’t Evil (Even Working with Google)
Database Security Fundamentals: Access & Authorization
Need Brains. User Brains
Incite 2/2/2010: The Life of the Party
You Have to Buy Data Security Tools
Pragmatic Data Security: Discover
The Network Forensics (Full Packet Capture) Revival Tour
Network Security Fundamentals: Default Deny (UPDATED)
Favorite Outside Posts
Rich: Jeremiah’s great post on why we need to break the web to secure it. This is one of the biggest problems we face on the web – the refusal to make important changes which would enable us to move forward, for fear of breaking older content. Not that we should break things willy-nilly, but many of the bits we are talking about breaking are easy to work around in terms of still providing users the same browsing experience. It’s the ad networks that are the big problem.
Adrian: Krebs on ATM Skimmers, part 1 and 2, as very practical security tips.
Mike: Kudos to Will Gragido, who makes a play for the fundamental building block of pragmatic philosophy – Accountability the non-Negotiable Asset. Keep in mind that accountability cuts both ways: you need to be accountable for meeting deliverables and managing expectations, and folks in your organization need to be accountable for not doing stupid things.
David Mortman: Excerpts from Randy George’s “Dark Side of DLP” “It’s not just enough to recognize badness; someone has to be able to classify badness, with authority.” Says so much about security and not just DLP.
Chris: Twitter: real but malicious BitTorrent trackers harvesting accounts. Who knew Twitter had real security staff?
Meier: How secure are you? Access was easy at 9 out of 10 buildings. It’s easy for staff writers at the Orlando Sentinel – it’s easy for anyone.
Project Quant Posts
Project Quant: DatabaseSecurity – WAF
Project Quant: Database Security – Encryption
Project Quant: Project Comments
Project Quant: Database Security – Protect through Monitoring
Project Quant: Database Security – Audit
Project Quant: Database Security – Monitoring
Project Quant: Database Security – Open Question to Database Security Community
Project Quant: Database Security – Shield
Top News and Posts
House passes cybersecurity bill. This hit right as we were going to press, so we’ll provide analysis later.
PGP Acquires TC TrustCenter & Chosen Security. If a PKI falls in the woods, does anyone hear it?
David Litchfield hangs up the gloves. David is an exceptional researcher who was a powerful counterbalance to Oracle marketing. Sad to see him go, but I think he had a great positive effect.
A perfect APT rant. Okay, it’s only near perfect, and some of the advice is a bit vanilla, but you gotta love a good rant.
Social Security Awards finalists revealed. Congrats to the nominees.
Rsnake releases massive list of Remote File Inclusion vulns. As in, over 1,000.
Mandiant releases info on APT attacks. These are the guys that actually investigate these attacks.
Bank sues cybercrime victim.
Mass data protection law going into effect. Don’t get too excited, at least until we see enforcement.
Google to pay for bugs in Chromium. Methinks they might want to pay a bit more, considering current market value.
Security B-Sides lining up for San Francisco. It’s a great event, and free!
iPhones vulnerable due to certificate handling flaw.
Need a security vendor? There’s a site for that. Boaz’s new site categorizes 600+ security vendors – should be a huge time saver.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Bryan Sullivan, in response to FireStarter: Agile Development and Security.

Great timing, my Black Hat talk this week (http://blackhat.com/html/bh-dc-10/bh-dc-10-briefings.html#Sullivan) covers exactly this topic. If you’re coming to the briefings, stop by for the talk and we’ll get some conversation going. It’s definitely not impossible to do secure Agile dev. I would say that certain Agile tenets present challenges to secure dev, but you can say the same thing about waterfall. The trick is overcoming those challenges, and I think we’ve done a pretty good job with SDL-Agile. Of course, if you’re using SDL-A and finding shortcomings with it I’d love to know about those too so I can address them.