Securosis

Research

When Security Services Attack

In the unintended consequences file, it’s awesome when big honking devices to stop attacks get owned and blast other sites. Yup, the folks at Incapsula found a huge DDoS that was leveraging equipment from two (not one, but two!) DDoS protection services. The perpetrators hijacked and leveraged the power of two separate high-capacity servers belonging to unnamed DDoS protection services providers, Zeifman said. He explained that this type of strong network infrastructure, built to defend against volumetric attacks, offers attackers a way to “fight fire with fire.” What’s great is that DDoS mitigation service providers are justifiably more focused on ingress traffic and getting rid of crap. Outbound stuff gets less scrutiny. So it was easy for attackers to hide in the flood of other traffic. This is just a reminder that if it can be used against you, it will. And ‘it’ is anything. Share:

Share:
Read Post

Firestarter: Wanted Posters and SleepyCon

We apologize for the quality of this week’s show… but Rich is on the road and can’t seem to understand the word ‘bandwidth’. Assuming you are willing to put up with us, watch us amuse ourselves over FBI wanted posters with Chinese army members on them. Then we debate the sometimes-sorry state of 95% of the 863 security cons in the world. The audio-only version is up too.   Share:

Share:
Read Post

CEO on Line 2

It has been a couple weeks since Target’s CEO was fired. Maybe not officially fired, but for all intents and purposes that’s what happened. The data breach was the most visible reason, though as George Hulme points out that was really a red herring. It’s easy to peg all of these changes at the feet of the data breach, and I think the breach is certainly part of the mix for these recent shake-ups. But Target was having execution troubles prior to the breach. Most notably its huge misstep into the Canadian market… The Slant blog, at InvestorPlace, advised its readers to sell Target stock, not because of the breach, but because of weak sales and profits that had nothing to do with the data breach… That said, any time a CEO’s head rolls down the hall, every other CEO with their head still attached wants to make sure that won’t happen to them. So they make a couple calls. The first is likely to the CFO, and then the CIO. They will offer up some platitudes, and tell how much work has been done on security, and what the amount of investment looks like. Then they will talk about how the CISO has been driving that program. So if you are the CISO (or the senior security professional), you get the call after those. In fact I would be pretty surprised if many CISOs in enterprise-class companies weren’t having little sit-downs with their CEOs, and maybe even the audit committees, to revisit program and address gaps. Obviously this should be happening on an ongoing basis (and probably does), but these out-of-cycle meetings will happen as well. Which brings up the question: what do you say? Are you honest when the CEO asks whether that kind of breach can happen to your organization? Do you tell him/her that despite continued (significant) investment, your answer is the same: you have no idea? Actually, that’s exactly what you do. You stay consistent, which (should be) brutally honest about your security posture and your risks. Some CEOs want you to blow smoke up their backside, and if that’s the case dust off your resume. If the CEO wants to hear the truth, tell him/her. They should know what’s at stake. As Dave Lewis says: But, the reality in a large corporation such as this there is often a need for a significant event in order to affect change. Though hopefully you don’t need to parade into your CEO’s office with another CEO’s head on a pike to make your point. All the same, it’s an opportunity, so don’t squander it. Photo credit: “Head on a pike” originally uploaded by Newtown graffit Share:

Share:
Read Post

Friday Summary: May 16, 2014

It’s odd, given the large number of security conferences I attend, how few sessions I get to see. I am always meeting with clients around events, but I rarely get to see the sessions. Secure360 is an exception, and that’s one of the reasons I like to go. I figured I’d share some of better ones – at least sessions where I not only learned something but got to laugh along the way: Marcus Ranum had an excellent presentation on “Directions in system log analysis”, effectively offering a superior architecture and design for log parsing – encouraging the audience anyone to build their own log analysis engines. What he sketched out will perform and scale as well as any existing commercial product. The analysis tree approach to making quick evaluations of log entries – which is successfully used in SQL statement analysis – can quickly isolate bad statements from good and spotlight previously unseen entries. I have a small quibble with Marcus’s assertion that you don’t need “big data” – especially given that he recommended Splunk several times, because Splunk is a flavor of NoSQL, and also because many NoSQL platforms are open source (meaning inexpensive), can store logs longer, and provide infrastructure for forensic analysis. Parsing at the edge may work great for alerting, but once you have detected something you are likely to need the raw logs for forensic analysis – at which point you can be looking for stuff that you threw away. Regardless, a great preso, and I encourage you to get the slides if you can. One of my favorite presentations the second day was Terenece Spies’ talk on “Defending the future” of payment security, talking about things like PoS security, P2P encryption, tokenization – all interwoven in a brief crypto history – and ending up with Bitcoin technology. The perspective he offered on how we got where we are today with payment security was excellent – you can see the natural progression of both payment and security technologies, and the points at which they intersect. This highlights how business and technology each occasionally overrun their dance partner to make the other look silly. Sure, I disagree with his assertion that tokenization means encryption – it doesn’t – but it was a very educational presentation on why specific security approaches are used in payment security. David Mortman did “Oh, the PaaS-abilities: Is PaaS Securable?”, offering a realistic assessment of where you can implement security controls and – just as importantly – where you can’t. David worked his way through each layer of the PaaS stack, contrasting what people normally handle with traditional IT against what they should do in the cloud, and what needs to be done vs. what can be performed. The audience was small but they stayed throughout, despite the advanced subject matter. Well, advanced in the sense that not many people are using PaaS yet, but many of us here at Securosis expect the cloud to end up there in the long run. With PaaS security thus, David’s security concepts are right at the cutting edge. David could probably keep doing this presentation for the next couple years – it’s right on the mark. If you are looking at PaaS find a copy of his presentation. Finally I had to choose between Rothman’s NGFUFW talk and Gunnar’s Mobile AppSec talk. Even though I work with Mike every day, I don’t get to see him present very often, so I watched Mike. You can read all his blogs and download his papers but it’s just not the same as seeing him present the material live – replete with stories decidedly unsuitable for print about some colorful pros. Good stuff! We are all traveling again this week, so we are light on links and news, and had no comment of the week. On to the Summary! Webcasts, Podcasts, Outside Writing, and Conferences Rich is presenting at Camp DevOps on Kick-aaS security Favorite Securosis Posts Adrian Lane: Firestarter: 3 for 5 – McAfee, XP, and CEOs. The well groomed edition. Other Securosis Posts Incite 5/14/2014: Solo Exploration. Summary: Thin Air. Favorite Outside Posts Mike Rothman: Undocumented Vulnerability In Enterprise Security. Look who’s now a Forbes contributor… Our own Dave Lewis. Nice post on the importance of documentation. Adrian Lane: The Mad, Mad Dash to Update Flash. The adoption charts are worth the read. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts What Target and Co aren’t telling you: your credit card data is still out there. Network Admin Allegedly Hacked Navy While on an Aircraft Carrier. Antivirus is Dead: Long Live Antivirus! Serious security flaw in OAuth, OpenID discovered. Share:

Share:
Read Post

Incite 5/14/2014: Solo Exploration

Is it possible to like interacting with people, yet need time alone? To really enjoy working in a team, yet cherish a night of solitude? I have always defined myself as an introvert. It provided a convenient excuse when I just didn’t want to deal with people. Though I do need my solo time to recharge, that’s for sure. But I also need to be social. Not all the time and not for extended periods of time, but a life of solitude doesn’t really appeal to me either. It’s an interesting contrast. I am on the road this week. Again. I’m not going to complain because I really enjoy working with clients, attending conferences, and seeing friends. It also means I’m busy, which is key in a small shop. But Monday night I didn’t want to mingle. In a conference situation I’m always on. It’s exhausting. By the end of the day Monday I was done. Normally I’d just get room service and stare at my computer, pretending to be ‘productive’. But Monday night the idea of another night in a nondescript hotel room wasn’t interesting. I needed to do something, but there were no major sports in town. And the local ballet and shows were dark since it was Monday night. Thankfully a quick search of the Google showed me the answer. It was time for some solo exploration. I found a show staged by a local theater company, only a short cab ride away. So I went to see it – by myself. I didn’t have a ticket. I didn’t take a map. I was in Canada, and being a cheap ass I didn’t even have Internet service on my phone. So no ability to have my magic device tell me things. I didn’t care. I was exploring. Not like Edmund Hillary or anything. But like a middle aged business guy in a city. The show was great. The experience was great. It was about how the decisions we make influenced by our fears and perceptions can get us in trouble. But it had a good ending and a better message about kindness and perseverance. Better yet, I got my time to recharge. I woke up Tuesday morning ready to go. Not long ago I would have been content to just sit in my room and maybe watch some sports. No longer. If I’m going to travel I may as well explore a bit. It’s a big world – I’m going to check it out. One city at a time. –Mike Photo credit: “Solo” originally uploaded by Ruth Flickr Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness Feb 10 – Mass Media Abuse 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide back in February. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U Rich and Adrian are traveling this week, so no Incite from them. I do not judge. Though I point out that I’m on the road as well… First they’ll come for AV… Wendy makes a great point about how all these new-fangled advanced and next-generation security technologies don’t claim to replace the existing stuff. At least not on endpoints. Why? I am stumped, and I have been advising all these advanced endpoint folks to bundle in an AV engine to take that issue off the table. Why position a complimentary product, forcing customers to buy and run the old AV stuff as well, when they could go for the whole enchilada? Oh, it’s scary. Customers have inertia. Assessors may squeal like stuck pigs. But here’s the dirty little secret. Customers want to buy one solution. They want simplicity. They want bundling. Most of all they want something that works. I agree that bundling will continue among security products, and the traditional endpoint protection product will be first on the extinction list. – MR Time is your enemy: I didn’t mention anything specifically related to Mandiant/FireEye’s M-Trends report when it hit back in mid-April, but I should have. It is another great report providing useful perspective on attack trends. Richard Bejtlich does all of us a favor and highlights a key finding: time. His point, in referring to the Syrian Electronic Army’s attack on a media company, is that within a day an adversary will update malware to make it even harder to find. So once a device has been compromised the clock starts to tick. The good news is that Mandiant saw a general decrease in dwell time in 2013 (compared to 2012), but a decrease in the percentage of attacks discovered by the victim. Two steps forward, one step back – while we’re playing beat the clock. Progress

Share:
Read Post

Firestarter: 3 for 5- McAfee, XP, and CEOs

A lot is going on in security land, so Rich, Mike, and Adrian return with another 3 for 5 episode. Three stories, five minutes each, all the sarcastic bite in a convenient package. The audio-only version is up too.   Share:

Share:
Read Post

Summary: Thin Air

Rich here. A quick mention: I will run a security session at Camp DevOps in Boulder on May 20th. I am looking forward to learning some things myself. My wife and I spent this past weekend up in Flagstaff, AZ for our anniversary. I am not much of a city guy, and am really much happier up in the mountains. There is just something about the thin air that lifts my spirits. Our home is on the Northwest corner of Phoenix, with easy access to the hills, so Flag is a frequent getaway. It has mountains, half a dozen craft breweries, a compact downtown with surprisingly good food, and a place called “Hops on Birch” – what’s not to like? The best part (that I will talk about) was walking into a coffee shop/bar around lunchtime and realizing it was where all the local bartenders congregate to recover. We learned a lot about the town while sipping Irish coffees. Scratch that – the best part was ditching the kids. And walking to three of those craft breweries before ending with dinner at the Thai place. But top three for sure. As a researcher sometimes I forget that what seems blatantly obvious… isn’t. Take the reports today about Apple revealing what data it can share with law enforcement. I figured it was common knowledge, because Apple’s security model is pretty well documented, and I even lay out what is protected and how in my iOS security paper. But most reports miss the big piece: Apple can access the file system on a passcode protected device. Anyone else needs to use a jailbreak technique, which I find interesting. Especially because jailbreaks don’t work on recent hardware without a passcode. I had a pretty cool moment this week. I was writing an article on security automation for DevOps.com. I didn’t have the code for what I wanted, and it involved something I had never tried before. It only took about 20 minutes to figure it out and get it working. My days as an actual coder are long over, but it feels good to have recovered enough knowledge and skills that I can pinch hit when I need to. But it didn’t last long. I spent about 12 hours yesterday struggling to repair one of our cloud security training class (CCSK) labs. We have the students pick the latest version of Ubuntu in the AWS user interface when they launch instances, and then insert some scripts I wrote to set up all the labs and minimize their need for the command line. It pains me, but a lot of people out there get pissed if you force them to type in a black box instead of clicky-clicky. Thinking is hard and all. Ubuntu 14.04 broke one of the key scripts needed to make the labs work. I started debugging and testing, and for the life of me couldn’t figure it out. Nothing in logs, no errors even in verbose mode. I quickly narrowed down the broken piece, but not why it was broken. Running all the commands manually worked fine – it was only broken when running scripted. MySQL and Apache take a lot of domain knowledge I don’t have, and the Googles and Bings weren’t much help. Eventually I realized restarting MySQL was dropping the user account my script added. By changing the order around I got it working, but I still feel weird – I don’t know why it dropped the account. If you know, please share. On the upside I made the scripts much more user-friendly. I thought about completely automating it with all the DevOps stuff I have been learning, but the parts I have in there are important to reinforce the educational side of things so I left them. So a great weekend, fun coding, and a reminder of how little I really know. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in “Do you really think the CEOs resignation from Target was due to security?” Adrian and Mort speaking next week at Secure360. Rich with Adam Engst at TidBITS on the iOS Data Protection bug. Favorite Securosis Posts Adrian Lane: Firestarter: There Is No SecDevOps. The boys did a nice job with this one – and Mike got all existential! That mindful stuff must be having an effect. Mike Rothman: Firestarter: There Is No SecDevOps. I get to say “Security must lose its sense of self in order to survive,” in this week’s Firestarter. That’s all good by me. We were a little light this week – sorry about that. Big projects, travel, and deadlines have been ongoing problems. But heck, we still blog more than nearly anyone else, so there! Other Securosis Posts Incite 5/7/2014: Accomplishments. New Paper: Advanced Endpoint and Server Protection. Favorite Outside Posts Adrian Lane: Shifting Cybercriminal Tactics. You may be tired of cyber security reports, but this one from MS is a quick read – and the change in tactics is a sign that MS’ efforts on trustworthy computing are working. Rich: The Hunt for El Chapo. I have been on a real crime story kick lately. Mike Rothman: Antivirus is Dead: Long Live Antivirus! Krebs goes on a rant about how attackers test their stuff before attacking you with it, and that is a big reason AV doesn’t work well any more. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts What Target and Co aren’t telling you: your credit card data is still out there. Network Admin Allegedly Hacked Navy While on an Aircraft Carrier. Serious security flaw in OAuth, OpenID discovered. How the Target CEO resignation will affect other execs’

Share:
Read Post

Incite 5/7/2014: Accomplishments

Yesterday I was in Winnipeg. By choice! I was invited to speak at the Western Canada Information Security Conference, and there isn’t much I like better than giving talks in Canada. Folks are nice. They appreciate when you come up to their towns to talk. They don’t say much during the pitch, but they come up after the session or in the coffee line and make it clear that they were listening. Just like in the Northeast. OK, not so much. I was doubly excited to do yesterday’s talk because they asked me to do my Happyness talk. It is my favorite talk to do – not because I think it provides a good message for the audience… even though it does. Not because it gives people tools to deal with the despondency that is part of the security profession… although it does that too. I love giving the Happyness talk because it forces me to take a look at where I’ve been and what I’ve done to improve myself over the past 7 years. When I first put the pitch together, I had a picture of Grumpy with the caption: “My alter ego.” When I updated the pitch last year, I changed that caption to be: “I used to be this guy.” That’s right, I’m no longer grumpy. Really. If you perceive me being grumpy, you bought into my persona. That’s not me anymore. If you met me today and didn’t know me, you wouldn’t think I’m grumpy or even curmudgeonly. I didn’t really appreciate that fact until I was going through the deck this week to do some minor tuning. I realized I have spent a long time trying to improve my mental game. To deal with my impatience and anger. To do this I embraced mindfulness practices (see the Neuro-hacking talks I do with JJ) and it has made a huge difference in my mental health. I need to celebrate that accomplishment. So I think I will. Of course that doesn’t mean I don’t get frustrated or impatient anymore. I’m human, contrary to popular belief. But I don’t hold onto the frustration, and the impatience passes quickly. Which, given where I started, is pretty cool. While I’m celebrating I should probably acknowledge how I have transformed my physical self as well. Back in 2006 I was 70 pounds heavier with high blood pressure and all sorts of other issues starting to manifest. So I decided I was tired of being fat and out of shape and dedicated myself to change. It has been a long process and it is still a daily battle, but at this point I am in the best shape of my life – in my mid-40s. Go figure. That warrants a celebration, no? I was on the express train to the grave and now I have a chance to live long enough for my kids to have to change my diapers. I don’t know how long I’ll be here, but when I go it won’t be because I didn’t take care of myself. So today I will celebrate my accomplishments, both mind and body. I don’t really ever pat myself on the back, so this is both new and uncomfortable. But I’ll do it because I should. Because hard work should be acknowledged – even if it is only acknowledging yourself. [5 minutes pass] OK, I’m done celebrating. There is work to do. Windmills to chase. Things to accomplish. But this is progress for me. I usually don’t celebrate accomplishments for even 5 minutes. It actually feels pretty good. Come to think of it, I highly recommend it. There may be something to this celebration thing… –Mike Photo credit: “Destination: Goal” originally uploaded by Jay Cox Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide back in February. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U Dropping your stuff: The Intralinks folks just published some interesting research, highlighted on Graham Cluley’s blog, showing how Dropbox and Box leak links to private files through Google searches. They prove their point by showing a 2012 tax return and a mortgage application. That’s awesome. It turns out anyone with a link for private sharing can see the file. No authentication needed. More awesome. The issue can also manifest if someone clicks a link embedded within a document viewed using Dropbox’s web preview function, because that link is included in the referrer information. So how do you solve the problem? Don’t share links. Duh. Oh, not an issue? Use business cloud storage services, which allow you to restrict access to shared links. We are only beginning to scratch the surface

Share:
Read Post

New Paper: Advanced Endpoint and Server Protection

Anti-virus is basically dead, at least according to the biggest anti-virus vendor. The good news is that signature-based AV has actually been dead for a long time; even the big players have been broadening their capabilities to assess, prevent, detect, and investigate advanced malware on endpoints and servers. There has been a tremendous amount of activity and innovation in protecting endpoint and servers, driven by necessity: Endpoint protection has become the punching bag of security. For every successful attack, the blame seems to point directly to a failure of endpoint protection. Not that this is totally unjustified — most solutions for endpoint protection have failed to keep pace with attackers. But hygiene and awareness alone will not deter advanced attackers very long. We frequently say advanced attackers are only as advanced as they need to be: they take the path of least resistance. But the converse is also true. When these adversaries need advanced techniques, they use them. Traditional malware defenses such as antivirus don’t stand much chance against a zero-day attack. Our Advanced Endpoint and Server Protection paper highlights the changes in threat management resulting from these advanced attackers using advanced tactics. We discuss changes in prevention, as well as advances in both detection and investigation. This is really a call to action to rethink how you deal with advanced adversaries, and ultimately how you protect your devices. Advanced adversaries require organizations to rethink how they manage threats. The idea that targeted attacks can be prevented consistently is a pipe dream, so organizations need to shift away from largely ineffective legacy technologies for protecting endpoints and servers. More specifically this means devoting more resources and investing in innovative approaches to blocking attacks in the first place, including advanced heuristics, application control, and isolation technologies. But even with significant investment in innovative prevention, a persistent attacker will still compromise your devices. This highlights the necessity of shifting security investment toward detecting and investigating attacks. We would like to thank the companies who have licensed this content (in alphabetical order): Bit9 + Carbon Black; Cisco/Sourcefire; and Trusteer, an IBM Company. We make this point frequently, but without security companies understanding and getting behind our Totally Transparent Research model, you wouldn’t be able to enjoy our research. Share:

Share:
Read Post

Firestarter: There Is No SecDevOps

Adrian is off at the altar of Buffett (the other one – not the one I wear a coconut bra for), so Mike and I delved into SecDevOps, triggered by a post from Andrew Storms over at DevOps.com. This is where the world is heading folks – you might as well prepare yourselves now. The audio-only version is up too.   Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.