This will be our last Friday Summary for 2008. This afternoon Adrian and I are off to The Office for our Securosis Annual Staff Festivus Party (sorry Chris, but we can drunk dial you if that makes you feel included).

2008 has been an incredibly wild ride. When it started I was just a solo consultant that wasn’t even calling myself an analyst anymore, and wasn’t certain where I wanted to take things. In January I ran a half marathon on a bad knee that mysteriously felt better after the race, but in February I went in for shoulder surgery that I’m still struggling to recover from. Over the summer, Adrian joined Securosis and we moved firmly back into the analyst column. As the year closes we’ve published a ton of free content, multiple vendor-neutral whitepapers, spoken at everything from RSA, to SOURCE Boston, to DefCon, and a few TechTarget and MISTI events (including a show in Moscow), given over a dozen webcasts, and, to be honest, had a heck of a lot of fun in the process. We’ve written articles for everyone from Macworld to Dark Reading, been interviewed by… well, pretty much everyone else, and enjoyed more than a few frothy beverages with our industry friends. For two skinny guys (and a part-time editor/UNIX guru, also skinny) running a small company we really couldn’t have asked for more. We’ve decided to give back, and we’ll announce more on that next week.

And 2009 is looking even crazier. In February we’ll be adding a new staff member, the exact date, gender, length, and weight are still undetermined (if he or she is over 8 lbs, my wife might kill me). We’re also completely redesigning our website as we continue to expand things a bit. This site started as just my personal blog, and as we keep pumping out content it isn’t nearly as well suited as it was at the beginning. The blog won’t change, but we’re going to make content more accessible and start loading up new kinds of materials- like videos of our conference presentations.

We’re also really going to push forward with the ideas of totally transparent and open research. We’re not idiots, and we don’t intend on competing with Gartner, Forrester, and the other large firms, but we still love what we do and think there’s plenty of room for us little guys (and our combined weight is pretty low, not that that’s relevant). We have more flexibility than they do, and you can expect no bullshit research that’s focused on in-depth, practical advice to help you with specific projects. We already have two programs planned- Pragmatic PCI, and Pragmatic Database Security (we’ll have to charge for those, since we have to keep the dogs, cats, and other little ones fed). Finally, we have some new media, social media, and community stuff in the works.

Okay- I realize that all sounded like marketing junk, but I think we’re allowed to be excited about what we’ve done, and what we have planned, from time to time. We are incredibly thankful for the opportunities and support you’ve all given us. And as a preview, here’s the official premier of our new logo (it will look better on the new site template): Have a wonderful holiday season. We’ll be reducing our posting volume a bit over the holidays, but stay tuned for the end of our web application series and a few other treats.

Here is the week’s security summary:

Webcasts, Podcasts, Outside Writing, and Conferences:

• The Network Security Podcast is a little shorter this week as we finish off the year. As an aside, Martin and I would like to apologize for our recent audio difficulties. We narrowed it down to a bad sound card on Martin’s side, and are changing our recording process for higher quality (we’ll be moving to double-ended recording).
• Via NetworkWorld, I gave a webcast for Oracle on Database Security for Security Professionals. It targets security pros who may be new to databases, and the replay is available here.
• I talked with Forbes about antivirus scanners.
• I debunked some FUD by Bit9 on automatic software updates in enterprises for LinuxInsider. IT departments can turn them off, so I don’t see what the problem is.
• Adrian talked database security with eWeek.
• Adrian on log management for internetnews.com.
• Someone named Adrian Lane is into otters. It’s the UK, so probably a different guy, but we’ll take all the press we can get.

Favorite Securosis Posts:

• Rich: Part 6 of our Building a Web Application Security Program. We really want to get this series (and the eventual paper) right, so any feedback, comments, and (especially) criticisms are very much appreciated.
• Adrian: While my practical experience has come to the same set of conclusions, finding meaning is groups of anonymous statistical patterns to justify database security is a black art I don’t care to dabble in.

<

p>Favorite Outside Posts:

{Adrian editorial}- I have been following the series of posts between Alan Shimmel and Andy the IT Guy (links below). They are touching on the very heart of the sales process and common friction between the IT gatekeeper and the salesman. But I thought they both danced around the key point. The sales guy is doing his job by pushing as hard as he can to get the deal done without pissing everyone off to the point the organization gets fed up and will no longer work with you. A good sales guy knows there is always a deal if they can overcome objections (price, support, consultative assistance, etc) because they would not be talking if the need was not there. However buyers buy from people they know, like, and trust, and trampling the gatekeeper is a good way to make enemies. Alan’s comment “Try putting yourself in the other’s shoes to better understand what is involved. Common courtesy and respect would be a good place to start” cuts both ways. Seems to me the sales guy failed to build proper relations before making the ‘hail-Mary’ sales pitch. -Adrian

• Adrian: Humorous series of posts between Shimmel and Andy the IT Guy.
• Rich: Layer 8 on planning your security for 2009. Really great practical advice.

Top News and Posts:

• Looks like automakers will get a bail-out after all.
• Microsoft’s out-of-cycle IE patch.
• Practical advice on dealing with botnets … even if your legal team disavows any such possibility.
• RIAA is finally killing off their incredibly stupid strategy of suing individual file sharers.
• Jeremiah on web application security and history. He’s going to out-analyst us if he keeps this up. Come on Jer, we need to feed our kids too!
• Microsoft releases their Anti-XSS library for .Net. This is a far bigger deal than I think most people realize, and hasn’t been picked up by the press yet.
• My friends, for $20 you could have owned a former McCain campaign Blackberry… with all the contacts. Joe the Plumber’s phone must be ringing off the hook!

Blog Comment of the Week:

EB on Part 6 of our Building a Web Application Security Program:
One piece I thought I would mention under your “Penetration Testing” subheading (which you may have been implying) is the risk of linking vulnerabilities. For example, while one SQL injection flaw may not reveal sensitive information (PII, cc#), it could reveal usernames, password hints, or a list of database tables that may seem trivial at the time; however, as the penetration test continues, and more ‘tidbits’ of information are discovered, it could lead to retrieval of sensitive information. For example, retrieving a list of user accounts and noting that the application requires weak passwords could lead to a valid, authenticated user session by the penetration tester. Another example is vulnerability retrieves a spreadsheet of employees’ last 4 digits of their SSN which can also be used to reset a user’s password on the application. The examples can go on and on…

Linking of vulnerabilities and the ability to assess the application as a whole is a quality that companies should ensure, if a third-party is engaged, will perform.