This will be our last Friday Summary for 2008. This afternoon Adrian and I are off to The Office for our Securosis Annual Staff Festivus Party (sorry Chris, but we can drunk dial you if that makes you feel included).

2008 has been an incredibly wild ride. When it started I was just a solo consultant that wasn’t even calling myself an analyst anymore, and wasn’t certain where I wanted to take things. In January I ran a half marathon on a bad knee that mysteriously felt better after the race, but in February I went in for shoulder surgery that I’m still struggling to recover from. Over the summer, Adrian joined Securosis and we moved firmly back into the analyst column. As the year closes we’ve published a ton of free content, multiple vendor-neutral whitepapers, spoken at everything from RSA, to SOURCE Boston, to DefCon, and a few TechTarget and MISTI events (including a show in Moscow), given over a dozen webcasts, and, to be honest, had a heck of a lot of fun in the process. We’ve written articles for everyone from Macworld to Dark Reading, been interviewed by… well, pretty much everyone else, and enjoyed more than a few frothy beverages with our industry friends. For two skinny guys (and a part-time editor/UNIX guru, also skinny) running a small company we really couldn’t have asked for more. We’ve decided to give back, and we’ll announce more on that next week.

And 2009 is looking even crazier. In February we’ll be adding a new staff member, the exact date, gender, length, and weight are still undetermined (if he or she is over 8 lbs, my wife might kill me). We’re also completely redesigning our website as we continue to expand things a bit. This site started as just my personal blog, and as we keep pumping out content it isn’t nearly as well suited as it was at the beginning. The blog won’t change, but we’re going to make content more accessible and start loading up new kinds of materials- like videos of our conference presentations.

We’re also really going to push forward with the ideas of totally transparent and open research. We’re not idiots, and we don’t intend on competing with Gartner, Forrester, and the other large firms, but we still love what we do and think there’s plenty of room for us little guys (and our combined weight is pretty low, not that that’s relevant). We have more flexibility than they do, and you can expect no bullshit research that’s focused on in-depth, practical advice to help you with specific projects. We already have two programs planned- Pragmatic PCI, and Pragmatic Database Security (we’ll have to charge for those, since we have to keep the dogs, cats, and other little ones fed). Finally, we have some new media, social media, and community stuff in the works.

Okay- I realize that all sounded like marketing junk, but I think we’re allowed to be excited about what we’ve done, and what we have planned, from time to time. We are incredibly thankful for the opportunities and support you’ve all given us. And as a preview, here’s the official premier of our new logo (it will look better on the new site template): logo_securosis.png Have a wonderful holiday season. We’ll be reducing our posting volume a bit over the holidays, but stay tuned for the end of our web application series and a few other treats.

Here is the week’s security summary:

Webcasts, Podcasts, Outside Writing, and Conferences:

Favorite Securosis Posts:


p>Favorite Outside Posts:

{Adrian editorial}- I have been following the series of posts between Alan Shimmel and Andy the IT Guy (links below). They are touching on the very heart of the sales process and common friction between the IT gatekeeper and the salesman. But I thought they both danced around the key point. The sales guy is doing his job by pushing as hard as he can to get the deal done without pissing everyone off to the point the organization gets fed up and will no longer work with you. A good sales guy knows there is always a deal if they can overcome objections (price, support, consultative assistance, etc) because they would not be talking if the need was not there. However buyers buy from people they know, like, and trust, and trampling the gatekeeper is a good way to make enemies. Alan’s comment “Try putting yourself in the other’s shoes to better understand what is involved. Common courtesy and respect would be a good place to start” cuts both ways. Seems to me the sales guy failed to build proper relations before making the ‘hail-Mary’ sales pitch. -Adrian

Top News and Posts:

Blog Comment of the Week:

EB on Part 6 of our Building a Web Application Security Program:
One piece I thought I would mention under your “Penetration Testing” subheading (which you may have been implying) is the risk of linking vulnerabilities. For example, while one SQL injection flaw may not reveal sensitive information (PII, cc#), it could reveal usernames, password hints, or a list of database tables that may seem trivial at the time; however, as the penetration test continues, and more ‘tidbits’ of information are discovered, it could lead to retrieval of sensitive information. For example, retrieving a list of user accounts and noting that the application requires weak passwords could lead to a valid, authenticated user session by the penetration tester. Another example is vulnerability retrieves a spreadsheet of employees’ last 4 digits of their SSN which can also be used to reset a user’s password on the application. The examples can go on and on…

Linking of vulnerabilities and the ability to assess the application as a whole is a quality that companies should ensure, if a third-party is engaged, will perform.