It’s been a bit of a busy week. We finished up 2 major projects and I made a quick out of town run to do a little client work. As a result, you probably noticed we were a bit light on the posting. For some silly reason we thought things might slow down after RSA.
I’m writing this up on my USAirways flight but I won’t get to post it until I get back home. Despite charging the same as the other airlines, there’s no WiFi. Heck, they even stopped showing movies and the AirMall catalogs are getting a bit stale. With USAirways I feel lucky when we have little perks, like two wings and a pilot. You know you’re doing something wrong when you provide worse service at the same price as your competitors. On the upside, they now provide free beer and wine in the lounge. Assuming you can find it. In the basement. Without stairs. With the lights out. And the “Beware of Tiger” sign.
Maybe Apple should start an airline. What the hell, Hooters’ pulled it off. All the flight attendants and pilots can wear those nice color coded t-shirts and jeans. The planes will be “magical” and they’ll be upgraded every 12 months so YOU HAVE TO FLY ON ONE! The security lines won’t be any shorter, but they’ll hand out water and walk around with little models of the planes to show you how wonderful they all are.
Er… maybe I should just get on with the summary. And I’m sorry I missed CanSecWest and the Pwn2Own contest. I didn’t really expect someone to reveal an IE8 on Windows 7 exploit, considering its value on the unofficial market. Pretty awesome work.
Since I have to write up the rest of the Summary when I get home it will be a little lighter this week, but I promise Adrian will make up for it next week.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Effort Will Measure Costs Of Monitoring, Managing Network Security.
- Database Security Metrics for the Community at Large.
- Security Optimism.
Favorite Securosis Posts
- David Mortman: FireStarter: There is No Market for Security Innovation.
- Mike Rothman: FireStarter: There is No Market for Security Innovation. Rich nails it. Read the comments. Great discussion.
- Rich: Announcing NetSec Ops Quant: Network Security Metrics Suck. Let’s Fix Them. I never thought Quant would grow like this – we’re now on our third project, with two of them running concurrently.
Other Securosis Posts
Favorite Outside Posts
- David Mortman: Side-Channel Leaks in Web Applications.
- Mike Rothman: Time and Cost to Defend the Town. Security is about trade-offs. Bejtlich strikes again by presenting the discussion we have to have with senior management..
- Rich: Securing Your Facebook. Threatpost with a nice place to send your friends and family for some easy to understand advice.
Project Quant Posts
Top News and Posts
- Hacker exploits IE8 on Windows 7 to Win Pwn2Own.
- Website Security Seals Smackdown.
- Google releases “Skipfish”, a free web application security scanner.
- Busting CyberFUD.
- Fired CISO says his comments never put Penn’s data at risk . Sorry, if you don’t have permission, and you want to keep your job, you don’t talk. I wish it were otherwise, but that’s how the world works.
- Mozilla Acknowledges Critical Zero Day Flaw in Firefox.
- TJX Hacker Gets 20-Year Jail Sentence.
- Researchers Finding New Ways to Bypass Exploit Mitigations.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Jim Ivers, in response to FireStarter: There is No Market for Security Innovation.
Great post and good observations. The security market is a very interesting and complex ecosystem and even companies that have an innovation that directly addresses a generally accepted problem have a difficult road. The reactive nature of security and the evolving nature of the problems to which the market responds is one level of complexity. The sheer number of vendors in the space and the confusing noise created by those numbers is another. Innovation is further dampened by the large established vendors that move to protect market share by assuring their customer base that they have known problems covered when there is evidence to the contrary.
Ultimately revenue becomes the gating factor in sustaining a growing company. But buyers have a habit of taking a path of risk avoidance by placing bets on establish suites of products rather than staking professional reputation on unproven innovative ideas. Last I checked, Gartner had over 20 analysts dedicated to IT security in one niche or another, which speaks to how complex the task of evaluating and selecting IT security products can be for any organization. The odds of even the most innovative companies being heard over the noise are small, which is a shame for all concerned, as innovation serves both the customers and the vendors.
Comments