Securosis

Research

Trends in Data Centric Security [New Series]

It’s all about the data. The need of many different audiences to derive value from data is driving several disruptive trends in IT. The question that naturally follows is “How do you maintain control over data regardless of where it moves?” If you want to make data useful, by using it in as many places as you can, but you cannot guarantee those places are secure, what can you do? Today we launch a new series on Data Centric Security. We are responding to customer inquiries about what to do when moving data to locations they do not completely trust. The majority of these inquires are motivated by “big data” usage as firms move data into NoSQL clusters. The gist is that we don’t know how to secure these environments, we don’t really trust them, and we don’t want a repeat of data leakage or compliance violations. Here at Securosis we have blogged about NoSQL security for some time, but the specifics of customerinterest came as a surprise. They were not asking “How do I secure Hadoop?” but instead “How do I protect data?” with specific interest in tokenization and masking. An increasing number of firms are asking about data security for cloud environments and HIPPA compliance – again, more focused on data rather than system controls. This is what Data Centric Security (DCS) does: embed security controls into the data, rather than into applications or supporting infrastructure. The challenge is to implement security controls that do not not render the data inert. Put another way, they want to derive value from data without leaving it exposed. Sure, we can encrypt everything, but you cannot analyze encrypted data. To decrypt within the environment means distributing keys and encryption capabilities, implementing identity management, and ensuring the compute platform itself is trustworthy. And that last is impossible when we cannot guarantee the security of the platform. Data Centric Security provides security even when the systems processing data cannot be fully trusted. We can both propagate and use data to derive business value while still maintaining a degree of privacy and security. Sounds like a fantasy, but it’s real. But of course there are challenges, which I will detail later in this series. For now understand that you need to actively select the right security measure for the specific use case. This makes data centric security a form of data management, and requires you to apply security polices, transform the data, and orchestrate distribution. This is not intended to be an exhaustive research effort, but an executive summary of data centric security approaches for a couple emerging use cases. This series will cover: Use Cases: I will outline the top three use cases driving inquiries into data centric security, and specific challenges presented by them. Data Centric Technologies: We will examine a handful of technologies that support data centric security. We will explore tokenization, masking, and data element/format preserving encryption, as well as some other tricks. Data Centric Security Integration: We will discuss how to incorporate DCS into data management operations and deploy these technologies. This is a combination of tools and process, but where you begin your journey affects what you need to do. Our next post will cover DCS use cases. Share:

Share:
Read Post

Open Source Development Analysis: Development Trends

For the final installment of our analysis of the 2014 Open Source Development and Application Security Survey, we will focus on open source development trends. Our topic is less security per se, and more how developers use open source, how it is managed, and how it is perceived in the enterprise. Are open source components more trustworthy than commercial software? An unambiguous question in the survey asked, “Do you believe software assembled with open source is as secure as commercial off-the-shelf (COTS)?” Under 9% said that software assembled with open source is less secure, with over 35% stating they believed open source is more secure than COTS. Even more interesting: survey participants who responded before Heartbleed believed applications assembled using open source components were more secure that COTS was at 34.83%. After Heartbleed: 36.06%. Yes, after a major vulnerability in an open source component used in millions of systems around the globe, confidence in open source security did not suffer. In fact it ticked up a point. Ironic? Amazing? All I can say is I am surprised. What people believe is not necessarily fact. And we can’t really perform a quantitative head-to-head comparison between applications assembled with open source components and COTS security to verify this belief. But the survey respondents deal with open source and commercial software on a daily basis – they are qualified to offer a professional opinion. The net result is for every person who felt COTS was more secure, four felt that open source was more secure. In any sort of popular vote that qualifies as a landslide. Banning components “Has your company ever banned the use of an open source component, library or project?” The majority of respondents, some 78%, said “No”. Still, I have singled this question out as a development practice issue. Something I hear organizations talk about more and more. Software organizations ban components for a number of reasons. Licensing terms might be egregious. Or they might simply no longer trust a component’s reliability or security. For example virtually all released Struts components have severe security exploits, described by critical CVE warnings. Poorly written code has reliability and security issues. The two tend to go hand in hand. You can verify this by looking at bug tracking reports: you will see issues clump together around one or two problematic pieces of software. Banning a module is often politically messy as because it can be difficult to find or build a suitable replacement. But it is an effective, focused way to improve security and reliability. Post-Snowden we have seen increased discussion around trust and whether or not to use certain libraries because of potential subversion by the NSA. This is more of a risk perception issue than more tangible issues such as licensing, but nonetheless a topic of discussion. Regardless of your motivation, banning modules is an option to consider for critical – or suspect – elements of your stack. Open source policies Open source policies were a major focus area for the survey, and the question “Does your company have an open source policy?” was the lead in for several policy related questions. 47% of respondents said they have a policy. When asked, “What are the top three challenges with your open source policy?” the top three responses were that 39% believed that a top challenge is that it does not deal with security vulnerabilities, 41% stated there is little enforcement so workarounds are common, and 35% said what is expected is not clear. This raises the question: What is in an open source policy? The answer dovetails nicely with an early survey question: “When selecting components, what characteristics would be most helpful to you?” That is how you decide. Most companies have a licensing component to their policies, meaning which types of open source licenses are permitted. And most specify versioning and quality controls, such as no beta software. More often than not we see policies around security – such as components with critical vulnerabilities should be patched or avoided altogether. After those items, the contents of open source policies are wide open. They vary widely in how prescriptive they are – meaning how tightly they define ‘how’ and ‘what’. “Who in your organization is primarily responsible for open source policy / governance?” While the bulk of responsibility fell on development managers (34%) and IT architects (24%), much of it landed outside development. Legal, risk, and executive teams are unlikely to craft policies which development can implement easily. So development needs to either take ownership of policies, or work with outside groups to define feasible goals and the easiest route to them. We could spend many pages on policies, but the underlying issue is simple: Policies are supposed to make your life easier. If they don’t, you need to work on the policies. Yes, I know those of you who deal with regulatory compliance in your daily jobs scoff at this, but it’s true. Policies are supposed to help avoid large problems or failures down the road which cost serious time and resources to fix. Here is the simple dividing line: policies written without regard for how they will be implemented, or a clear path to make open source use easier and better, are likely to be bypassed. Just like development processes, policies take work to optimize. Once again, you can find the final results of the survey here. Share:

Share:
Read Post

Open Source Development Analysis: Application Security

Continuing our analysis of the 2014 Open Source Development and Application Security Survey, we can now discuss results as the final version has just been released. Today’s post focuses on application security related facets of the data. Several questions in the survey focused on security practices within open source development, including vulnerability tracking and who is responsibility for security. I will dive into the results in detail, sharing my perspective on where things are getting better, which results surprised me, and where I believe improvements and attention are still needed. Here we go… Who’s talking? When analyzing a survey I always start with this question. It frames many of the survey’s answers. Understanding who is responding also helps illuminate the perspective expressed on the issues and challenges discussed. When asked “What is your role in the organization?” the respondents were largely developers, at 42.78% of those surveyed. Considering that most architects, DevOps types, and build managers perform some development tasks, it is safe to say that over 50% of respondents have their hands on open source components and projects. A full 79% (include development managers) are in a position to understand the nuances of open source development, judge security, and reflect on policy issues. Is open source important? The short answer is “Hell yes, it’s important!” The (Maven) Central Repository – the largest source of open source components for developers – handled thirteen billion download requests last year. That’s more than a billion – with a ‘B’ – every month. This statistic gives you some idea of the scale of open source components used to assemble software applications today. What’s more, the Sonatype data shows open source component usage on the rise, growing 62% in 2013 over 2012, and more than doubling since 2011. When asked “What percentage of a typical application in your organization is comprised of open source components?” at least 75% of organizations rely on them in their development practices. While ‘0-20%’ was an option, I am willing to bet few were really at ‘zero’ because those people would be highly unlikely to participate in this survey. So I believe the number with some involvement (including 1-20%) is closer to 100%. The survey looked at use of open source components across verticals; they captured responses from most major industries including banks, insurance, technology/ISV, and government. Open source component usage is not relegated to a few target industries – it is widespread. The survey also asked “How many developers are in your organization?” to which almost 500 participants answered 1,000 or more. Small firms don’t have 1,000 developers, so at least 15% of responses were from large enterprises. That is a strong showing, given that only a few years ago large enterprises did not trust open source and generally refused to officially endorse its use on corporate systems. And with nearly 700 responses from organizations with 26-100 developers, the survey reflects a good balance of organizational size. Adoption continues to climb because open source have proven its worth – in terms of both quality and getting software built more quickly when you don’t try to build everything from scratch. More software than ever leverages contributions from the open source community, and widespread adoption makes open source software incredibly important. Are developers worried about security? Questions around software security were a theme of this year’s audit, which is why the name changed from years past to “Open Source Development and Application Security Survey”. A central question was “Are open source vulnerabilities a top concern in your position?”, to which 54.16% answered “Yes, we are concerned with open source vulnerabilities.” Concern among more than half of respondents is a good sign – security is seldom part of a product design specification, and has only recently become part of the design and testing phases of development. Respondents’ concerned with vulnerabilities is a positive sign. Viewed another way, 10 years ago that number was about zero, so we see a dramatic change in awareness. Outside development security practitioners get annoyed that only about 50% responded, “Yes” to this question. They zealously believe that when it comes to software development, everyone from the most senior software architect to the new guy in IT needs to consider security practices a priority. As we have seen in breaches over the last decade, failure only takes one weak link. Lending support to the argument that software development has a long way to go when it comes to security, 47.29% of respondents said “Developers know it (Security) is important, but they don’t have time to spend on it.” The response “I’m interested in security and the organization is not.” is very common across development organizations. Most developers know security is an open issue. But fixing security typically does not make its way up the list of priorities while there are important features to build – at least not until there is a problem. Developers’ growing interest in security practices is a good sign; allocation of resources and prioritization remains an issue. What are they doing about it? This year’s results offer a mixed impression of what development organizations are actually doing about security. For example one set of responses showed that developers (40.63%) are responsible for “tracking and resolving newly discovered vulnerabilities in components included in their production applications.” From a developer’s perspective this result looks legitimate. And the 2014 Verizon Data Breach Investigations Report makes clear that the application stack is where the main security issues are being exploited. But application security buying behavior does not jibe with patterns across the rest of the security industry. Understanding that the survey participants were mostly developers with an open source perspective, this number is still surprising because the vast majority of security expenditures are for network and endpoint security devices. Security, including application security, is generally bolted on rather than fixed from within. Jeremiah Grossman, Gunnar Peterson and others have all discussed the ineffectiveness of gearing security toward the network rather than applications. And the Whitehat Website Security Statistics report shows a long-term cost benefit from fixing problems within applications, but what we

Share:
Read Post

Firestarter: Apple and Privacy

Mike is out on a beach this week sunning himself (don’t think to hard about that) so Rich and Adrian join up to talk about some interesting developments in Apple privacy, and how Apple may be using it to get some competitive advantage. The audio-only version is up too. Share:

Share:
Read Post

2014 Open Source Development Webcast this Wednesday

Reminder: 2014 Open Source Development Webcast this Wednesday A quick reminder: Brian Fox and I will be doing a webcast this Wednesday (June 18th) on the results of the 2014 Open Source Development and Application Security Survey. We have decided to divide the survey into a half dozen or so focus areas and discuss the results. We have different backgrounds in software development so we feel an open discussion is the best way to offer perspective on the results. Brian has been a developer and worked with the open source community for well over a decade, and I have worked with open source since the late ’90s and managed secure code development for about as long. The downside is that we were both created with the verbose option enabled, but we will be sure to leave time for comments at the end. Register for the webcast to listen in live. Talk to you Wednesday! Share:

Share:
Read Post

Mobile Malware Supply and Demand

Just in case you thought supply and demand don’t apply to our little area of the world, think again. It is interesting to read about a $5,000 malware kit targeting Android. Dan Goodin digs into the specifics of the iBanking malware kit, the breadth of its capabilities, and how it proliferates (typically against users already infected with financial malware on their PCs); and resists whitelists to evade detection and prevention. But why does this particular package warrant such a high price? Market opportunity, of course. With the number of Android phones out there, the math indicates it is probably a worthwhile investment, especially given the number of folks doing mobile banking and commerce. See? Supply and demand. Econ 101, folks. Not long ago, the so-called iBanking malware package offered little more than a way for traditional PC trojans that target online bank accounts to bypass two-factor authentication protections. While the interception of incoming and outgoing SMS messages remains the main selling point, iBanking has morphed into the Swiss Army knife of Android malware. Included in the $5,000 fee is the ability to redirect incoming voice calls, covertly capture sounds within range of the device’s microphone, track geolocation, access the file system, and remotely corral the device into sprawling mobile botnets that use either HTTP or SMS to communicate, depending on the current network status of the infected handset. There is also a free version of iBanking available, but many attackers opt for the paid version which includes updates and support. That’s awesome, and nicely illustrates that software is software and freemium is a great market-building strategy. Whatever your product does… Photo credit: “excellent visual aid” originally uploaded by arianne Share:

Share:
Read Post

Incid#*%$ Happen: Manage Them

We all fall into the trap of adopting industry lingo to describe various functions. But when you take a step back, and think about mental cues we need to perform our best, sometimes it makes sense to look at things a bit differently. We all call the function of dealing with an attack incident response now. To be clear, respond is a better word than react because it at least implies logical thought about how to respond. But the next step is to manage incidents. Integriography has a good post about this distinction, with an analogy that will warm Rich’s heart – comparing processes to Emergency Management. I knew I have heard that before somewhere… Tornados, earthquakes, fires, automobile accidents, heart attacks, and many more emergencies happen daily. Rather than treating these as one off incidents that require all hands on deck, emergency services plan, recruit, train, and respond in a very calm, business like manner because it is their normal business. Right. Dealing with attacks is our normal business. So it’s time we start managing to that. It is probably time to update our terminology to reflect this. (h/t to grecs, who pointed me to this post.) Photo credit: “Emergency” originally uploaded by michaelgoodin Share:

Share:
Read Post

Friday Summary: June 13, 2014

As Rich said in last week’s Summary, the blog will be quiet this summer because we are busier than we have ever been before. The good news is that new research and Securosis offerings are usually the result. But that does not stop us from feeling guilty about our lack of blogging. With that, I leave you with a couple thoughts from my world this week on a Friday the 13th: Picture an older Formula 1 car. Blindingly fast. Pinnacle of design in its day. Maybe Stirling Moss or Ayrton Senna drove it to victory. It’s still beautiful and fast, but you can’t race it today because it’s not competitive. It can’t be. In some cases the rules of F1 change so great technologies can no longer be used (i.e., ground effects). In other cases the technologies are longer state-of-the-art. You cannot – and should not – retrofit an old chassis. So what do you do with the car? Seems a shame to relegate an F1 car to the dustbin, but you can’t compete with it any longer. As part of our day jobs we get asked to review products and make suggestions on the viability of platforms going forward. Sometimes product managers want us to vet their roadmaps; sometimes we are asked to support a due diligence effort. Whatever the case, we occasionally find cases where a great old product simply cannot compete or be retrofitted to be competitive. Don’t get emotionally attached because it was the S#!$ in its day, and best not think too much about sunk costs – just go back to the drawing board. A fresh start is your only answer. There are many alternatives to passwords. Some outfits, like nospronos.com have recycled an old idea to do away with user passwords on their World Cup web site. Users each get a ‘secret’ URL to their web page, and a public URL to share with friends. Sound familiar? Public key crypto is the gist here: the user gets a private account, the web site does not need to store or manage user passwords, and they can still share content with friends. Good idea? In the short term it’s great, because by the time the users lose or leak passwords the World Cup will be over. It’s fragile, but likely just secure enough to work just long enough. Well, it would have if they had only remembered to issue HTTPS URLs. Oh well… sans passwords and sans privacy means sans security. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mortman quoted in “The 7 skills Ops pros need to succeed with DevOps”. Adrian quoted on Gazzang acquisition by Cloudera. Adrian to present on the Open Source and Application Security Survey next week. Favorite Securosis Posts David Mortman: Open Source development Analysis. Actually – we all selected the Open Source development Analysis this week. Wonder why? Other Securosis Posts Take our IT practices survey and win cool stuff (and free data). Incite 6/11/2014: Dizney. Summary: Summer. Cloudera acquires Gazzang. Favorite Outside Posts Rich: After Heartbleed, We’re Overreacting to Bugs That Aren’t a Big Deal. Our job isn’t to fix everything, but to manage risk and fix things in the right order. Mike Rothman: The CSO’s Failure to Lead. Is the inability to execute on a security program the fault of the CISO? Maybe. Maybe not. Causation is not correlation. Dave Lewis: ISS’s View on Target Directors Is a Signal on Cybersecurity. If you are keeping score at home we have a number of firsts: CIO dismissal, credit rating downgrade, CEO dismissal, and boardroom shakeup. That is a lot of firsts – this is a Sputnik moment for security. David Mortman: Here’s How You Pick the “Unpickable” Bike Lock. Adrian Lane: 10 things: #1 Parameterize Database Queries. Jim Bird is going through the OWASP Top 10 and explaining the whys and hows to protect against these issues. It’s a series, and this is the first post. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet?. Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts GameOver Zeus botnet disrupted by FBI, Microsoft 14-Year Olds Hack ATM With Default Password More Fun with EMV Adobe, Microsoft Push Critical Security Fixes iOS 8 to stymie trackers and marketers with MAC address randomization ‘NSA-proof’ Protonet server crowdfunds $1m in under 90 minutes SSL/TLS MITM vulnerability CVE-2014-0224 TweetDeck wasn’t actually hacked, and everyone was silly Can You Track Me Now? Blog Comment of the Week This week’s best comment goes to Marco Tietz, in response to the Open Source Development and Application Security Analysis. That is pretty cool, looking forward to your coverage. As I’m working with Sonatype right now on a couple of things, I can confirm that they know what they are doing and that they are in fact in a pretty unique position to provide insights into open source usage and possible security implications. Share:

Share:
Read Post

Take our IT practices survey and win cool stuff (and free data)

Thanks to the cloud, mobility, and emerging practices like DevOps, I don’t think anyone would argue we aren’t in one of the most rapidly evolving IT eras since the emergence of the World Wide Web. Like it, hate it, or anywhere in between, everyone I speak with knows the winds have changed. Personally I believe these disruptions are more impactful than our first tenuous connections to the Internet but that’s fodder for another post. It is clear we don’t yet know fully how these advances will change existing IT practices across different kinds of organizations. That’s why we are partnering with JumpCloud to get a better sense of these evolving technologies; along with the impact of, and approaches to, internal practices and DevOps. This isn’t a vendor-licensed or -sponsored study. JumpCloud is on the operations side, Securosis on the security side, and we are both looking for a better idea of what’s going on out there, so we decided to partner up. You can take the survey here. As usual, we will release all the raw data (anonymized, of course) back to the community. We are also giving away cool stuff to random winners who complete the entire survey (and leave contact info). An Amazon Fire TV, Samsung Gear 2 Neo Smartwatch, or a Fitbit Flex. (We decided to change things up from the usual Apple giveaway). So please spread the word and take the survey. Share:

Share:
Read Post

Incite 6/11/2014: Dizney

This week I will take a page from Adrian’s Friday Summary approach, and just offer a stream of consciousness about the recent trip the family and I took to DisneyWorld. We went down there to watch the girls dance in Downtown Disney. Their dance company does this every other year, which means we are down in Orlando doing the Disney thing every two years. Trying to be more present and aware in my daily life was interesting in a place like Disney. So let me start with a few observations. First of all, it’s expensive to hang out with the Mouse. We get a great deal on tickets to the parks and it still costs a metric crap ton of coin to be there for a couple days. Then you throw in food, bottled water, and the bargain $8 ponchos (which are a bargain during the 20 minute daily downpours) – and it’s not a cheap vacation. Next you have people of all shapes, sizes, nationalities, languages, cultures, etc. If you think America in general is a great melting pot, spend a little time at Disney. You see young and old. Extended families. Those from the US and those not. Newlyweds. Bachelorette parties and all sorts of other groups. Most of these families have group t-shirts on. I just don’t get that. Do you think they wear that T-shirt any other time? Okay, don’t answer that. Actually the best shirts we saw all week were on a family that said, “We don’t believe in family trip t-shirts.” On all 20 of them. Hilarious. The diversity you see is really cool. The downside for me is varying levels of hygiene. I have a pretty sensitive nose and it can get a little steamy in June in Orlando. So standing on line for 40 minutes to ride Peter Pan (I’m still peeved at XX1 about that) next to a group that don’t get deodorant is unpleasant to say the least. You can also see the impact of mobile technology. We let XX1 roam around EPCOT with her dance friends one of the days. We always knew how to get in touch with her. The expectation was that she would check in every hour or so. And worst case we could always use Find My Friends to see where she was. I noticed loads of people with heads down on mobile devices as they walked the park. They were missing the experience, but that’s the culture today. Same goes for folks who watch rides or their kids dancing through the viewfinder of a camera. That doesn’t work for me but it’s common. One dude got it right and had a GoPro camera affixed to his kid’s stroller. I guess to record the reactions to seeing Mickey and the like. That was pretty cool – like a second set of eyes. I didn’t see anyone with Google Glasses on, so there’s that. Last summer I rued missing XX1’s first experience riding a big roller coaster. I did make amends by doing the Rock and Roller Coaster with both the girls and then the Tower of Terror. The girls couldn’t be more different. XX1 was cursing up a storm on both rides (though she did ask before spewing profanity – manners first). I wonder where she got that from? The Daredevil (XX2) was laughing throughout both rides. And best of all, I was right next to the Boy as we rode the Everest coaster in Animal Kingdom. He was scared, like I was the first time I rode a coaster. Which was a little curious given he has no issue doing a 5-story drop at the water park. He cried a little as we boarded the car, much to the chagrin of the family behind us – who thought I was a monster forcing my son onto the ride. I was in his ear the whole time assuring him it was going to be great. As we made the first climb, he ducked a little to not see much of anything. Then we were off, and as he squeezed my hand through the backwards drop and as we pulled a G or 2 through the curves and drops. You know what? He survived. And he loved it! I loved being there right next to him as he experienced it. That’s what being a Dad is all about. The reason we went to Orlando also worked out marvelously. Despite raining pretty much all day, the sun came out and shined during their performance. And the girls shined as well. I have mentioned there are few things more gratifying than seeing your kids excel at something they are passionate about. So as long as they want to dance in Disney, I’ll be down there every two years, contributing to the Mouse economy and riding roller coasters with all my kids. And loving every minute of it. –Mike Photo credit: “Mickey Mouse Magician” originally uploaded by Alain The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. June 2 – Sputnik or Sputnot May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.