Securosis

Research

Apple Bug Bad. Patch Now. Here Are Good Writeups

Yesterday Apple released iOS 7.06, an important security update you have probably seen blasted across many other sites. A couple points: Apple normally doesn’t issue single-bug out-of-cycle security patches for non-public vulnerabilities. They especially don’t release a patch when the same vulnerability may be present on OS X but there isn’t an OS X patch yet. I hate speculating, especially where Apple is concerned, but Apple has some reason for handling this bug this way. Active exploitation is one possibility, and expectations of a public full disclosure is another. The bug makes SSL worthless if an attacker is on the same network as you. OS X appears vulnerable (10.9 for sure). There is no public patch yet. This will very likely be remediated very quickly. A lot of bad things can be done with this, but it isn’t a remotely exploitable malware kind of bug (yes, you might be able to use it locally to mess with updates – researchers will probably check that before the weekend is out). It is bad for Man in the Middle (MitM) attacks, but it isn’t like someone can push a button and get malware on all our iOS devices. It will be interesting to see whether news outlets understand this. The best security pro article is over at ThreatPost. The best technical post is at ImperialViolet. They also have a test page. If you are in an enterprise, either push the update with MDM as soon as possible, or email employees with instructions to update all their devices. Share:

Share:
Read Post

Firestarter Happy Hour- RSA 2014 (With an Audio Download Option)

We may have gone too far. Okay, not really, but we hope you enjoy this beer-fueled extended episode of the Securosis Firestarter. Clocking in at a full hour, we prep and review the upcoming RSA show, which is really our way of covering how we think the year in the security industry will look. Fair warning. Someone, and I won’t say who, may have had a little potty mouth at a couple points. We are also up and running with an audio-only version, and will get that up in iTunes soon. Click here for an audio-only version. Share:

Share:
Read Post

Summary: A Little Tipsy, a Little Edgy

It is 6:44pm as I write this. Adrian just left after we recorded our first extended Firestarter/Happy Hour. The idea was that he would drive down, we would dial Mike in from Atlanta, talk about RSA stuff, Adrian would leave, and I would finish off work. It was a pretty sweet plan. Right up until some semi rolled over at a major intersection near my house, shutting down both a highway and an arterial surface street. Adrian’s ride was delayed, but the beer wasn’t. My wife was also delayed because she handles daycare pickups (I do dropoffs), but the beer wasn’t. You see where this is headed? I had some wonderful pre-RSA things to talk about today. Mostly how I’m finding that in my hands-on research I am pushing beyond the capabilities of some products I am working with. I am asking for API calls that don’t exist and features that aren’t exposed. And yet. So far I have been mostly able to work around these issues. Oh, your API can’t identify XYZ in AWS? No worries, I can code that up pretty quickly. To be honest, this is really new territory for me as an analyst and as a developer. In my dev days I mostly stuck to one platform and one database, and learned the lines pretty quickly. As analysts we mostly talk to users and vendors to understand how things work – we don’t really have the resources to get hands-on with products, and even if we did, that wouldn’t reflect operational realities (which is why most magazine/whatever writeups are garbage). But now with cloud and DevOps I can dig in and explore tools and technologies to an unprecedented degree. I am learning that some of what I’m trying is pushing the limits, and I get to figure out alternative ways of solving the random problem I picked. I won’t lie – this is a blast. Sure, it’s frustrating to hit a technical issue beyond my capabilities, but it is incredibly satisfying when I learn a significant percentage of them aren’t due to personal failures, but instead limitations of what I am working with. As an analyst that is awesome. There is no better validation that I am on the right track than breaking things, at a fundamental level. And to be honest this is the kind of intellectual curiosity I think defines a security professional. My advantage is that I figured out how to make a living out of writing about stuff, and producing crappy code that could never withstand a production environment. No accountability? Sign me up, baby! At this pint I should probably mention that I am 5 craft brews in, so… er…. I am not responsible for this Summary. That is all. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mort quoted in Network World. Favorite Securosis Posts Adrian Lane: Deep Dive on Data Security. Mike Rothman: Deep Dive on Cloud Security. Rich kills it in his RSA Conference Guide piece on Cloud Security. He understands how all the pieces fit together. Read it – it will be pretty pertinent over the next couple years. Dave Lewis: After-School Special: It’s Time We Talked – about Big Data Security. David Mortman: RSA Conference Guide 2014 Watch List: DevOps. Rich: The (Full) 2014 Securosis RSA Conference Guide. Sure, we write the pieces, but for the past couple years Mike has pulled it together and added some serious awesome with his mad meme skills. He is really the driver who adds the awesome. Even if you already read the posts, you need to check out the PDF. Especially the IDM section – that’s all I will say. Other Securosis Posts Security Analytics with Big Data Research Paper. Incite 2/19/2014: Outwit, Outlast, OutRSA. Join the Securosis Firestarter Happy Hour: RSA Edition. Firestarter: Payment Madness. RSA Conference Guide 2014 Deep Dive: Endpoint Security. RSA Conference Guide 2014 Deep Dive: Identity and Access Management. RSA Conference Guide 2014 Deep Dive: Security Management and Compliance. RSA Conference Guide 2014 Deep Dive: Application Security. Favorite Outside Posts Adrian Lane: The thing to know about JavaScript. Ad a newbie with Javascript and NodeJS, I found this helpful. Mike Rothman: Wealth Logic founder shares his insights. Pretty much everyone has money pressures one way or another. I really liked this guy’s perspective. This is the money quote: “In other words, the portfolio’s purpose isn’t to produce income, but to be consumed to fuel your life. The goal isn’t to be the richest guy in the graveyard.” Man, that’s good advice. Rich: Target hack cost banks and credit unions more than $200 million. These are the kinds of numbers that move the meter. Gal: Swiss fighters grounded during hijacking as outside office hours. One of those stories that defies commentary. Rich (yup, another one): My hope for the new Cosmos. The original had a profound affect on how I see the world. My kids are probably too young but I will try to force this on them anyway. Research Reports and Presentations Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Executive Guide to Pragmatic Network Security Management. Security Awareness Training Evolution. Firewall Management Essentials. A Practical Example of Software Defined Security. Top News and Posts Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322 Shostack’s got a new book on Threat Modeling Forbes, Kickstarter breached New Whitepaper: Security at Scale: Logging in AWS. Iranian hack of US Navy network was more extensive and invasive than previously reported. RSA Exhibitor Guidelines that Make You Think…. Behind every line item, there is a story. Emergency Adobe Flash Update Handles Zero Day Under Attack. Share:

Share:
Read Post

The (Full) 2014 Securosis RSA Conference Guide

Yes, you have seen this content because we have been blogging it for 10 days. But you can’t really take our blog with you to the RSA Conference, can you? Oh, smartphone browsers. Never mind.   Anyway, we have spent some time packaging up our key themes and deep dives, breaking the vendors up into logical areas, and listing all the vendors so you know where to find them at the show. We have also gone a bit nuts with the memegenerator, so at minimum the guide should keep you entertained. And just another reminder to RSVP for the DR Breakfast. The entire week will be epic. Start it off right with the 2014 RSA Conference Guide! Download (PDF): The 2014 Securosis RSA Conference Guide Share:

Share:
Read Post

Security Analytics with Big Data Research Paper

  I am happy to announce the release of a research paper a long time in the making: Security Analytics with Big Data. This topic generates tons of questions from end users, and we get them from large and mid-sized enterprises alike. The goals of this research project were threefold: The research outline Describes what security analytics with big data is and what it looks like Discusses how it is different than past tools and platforms Discusses the main use cases These topics mirror our early discussions around security analytics. Big data is a very new and very disruptive trend, so how we might use big data to help with security problems was interesting to the community as a whole. Answering questions about how to leverage virtually free NoSQL analytics tools to do a better job of detecting security events is important – both for what is possible and to provide a picture of where the industry is heading. The story behind the research But a funny thing happened during the research – during interviews people invariably wanted to know how it works within their environment. Many people did not want to just start evaluating security analytics options – they were keen to leverage existing investments and build on infrastructure they already own. The backstory is relevant because this ended up becoming three contiguous research projects, and then we massaged the content into this final paper to address the full breadth of questions. When I begun this work a year ago I wanted to fully describe the skunkworks projects I was seeing at some small and mid-sized firms. Both security companies and motivated individuals were using multiple NoSQL variants to detect security problems, often either with a new approach or at a unprecedented cost we had not seen before. Those trends are reflected in this research. Along the way I spoke with 20 large enterprises, and I kept getting the same request: “We are interested in security analytics, but we want to blend both the data and analysis with existing investments”. Most of the time these firms were referring to SIEM, but occasionally they had data warehouses with other information they wished to reference as well. That is also reflected in the paper. But when I got to this point, things got a bit odd. Once our research papers are completed we see if companies are interested in licensing our research to educate employees, customers, or the larger IT community. The responses I got were, “This is not in line with our position”, “This research does not reflect what we see”, “This research does not differentiate our solution” and “Our SIEM was big data before there was big data”. The broader scope of this research generated a degree of negative feedback which got me thinking I had totally missed the mark, asked the wrong questions, or simply talked to too few of customers. I spent another 6 months going through new interviews with a broader set of questions, and speaking to more data architects, vendors, and would-be customers. Retracing my steps reaffirmed that the research was on target, and I feel this paper captures the market today. Customer interest and inquiries outpace what the vendor community is prepared to offer, and customers are asking for capabilities outside the vendor storylines. So this paper tells a decidedly different story than what you are likely to hear elsewhere. Recommendations First and foremost, this is a research paper to educate end users on what security analytics with big data is, the value it provides, and how to distinguish big data solutions from pretenders. That is its core value. If you are going to “roll your own” big data security analytics cluster, this research provides a sample of what other firms are doing, architectures they use, and the underlying components they leverage to support their work. It will help you understand what types of data you probably already have at your disposal, and what observations you can derive from it. If you are looking to acquire a big data analytics solution this research will help you understand potential risks in realizing your investment and help with rollout and integration. You can download a copy on its landing page: Security Analytics with Big Data. We hope you find this information helpful, and as always please ask questions or provide feedback on the blog. Share:

Share:
Read Post

Incite 2/19/2014: Outwit, Outlast, OutRSA

No, we aren’t talking about Survivor, which evidently is still on the air. Who knew? This week the band of merry Securosis men are frantically preparing for next week’s RSA Conference. We’ll all descend on San Francisco Sunday afternoon to get ready for a week of, well, work and play. I saw Stiennon tweet about his 50 meetings/briefings, etc. – claiming that’s a new personal record. That’s not #winning. That’s #losing – at least to me. I have way too many meetings scheduled – and that even doesn’t count all the parties I have committed to attending. Pretty much every minute of every day is spoken for. My liver hurts already. RSA is a war of attrition. By Friday when I fly home I am always a mess. A few years ago I ran into Andy Jaquith on the BART train back to the airport afterwards. He tried his best to make conversation, but I had nothing. I could hardly string three words together. I grunted a bit and scrawled a note that I’d call him the following week. I sleep well on Friday night when I get home. And most of Saturday too. I pray to a variety of deities to fend off the con flu. Usually to no avail – the RSA Conference grinds even the hardiest of souls into dust. But I really can’t complain much. As much as I whine about the crazy schedule, the lack of sleep, and the destruction of billions of brain cells, I love the RSA Conference. I get to see so many friends I have made over the past 20 years in this business. I get to see what’s new and exciting in the business, validate some of my research, and pick the brains of many smart folks. We are lucky to meet up with many of our clients and provide our view of the security world. I also find out about many new opportunities do work with those clients, and based on early indications March and April should be very busy indeed. So it’s all good. Based on early RSVPs we expect record numbers at our Disaster Recovery Breakfast Thursday morning. A ton of folks are interested in the talk on mindfulness JJ and I are doing at the show. And the 2014 Security Bloggers Meetup will be bigger and better than ever. Yes, if you can’t tell, I’m really looking forward to the Conference. And I look forward to seeing many of you there. –Mike PS: I learned yesterday that a pillar of the Atlanta security community passed away recently. So I’ll have a drink or ten in honor of Dan Combs. He was a good man. A good security guy. And he will be missed. RIP Dan. It’s just another reminder that our time here is short, so enjoy it, have fun, maximize each day, and live as large as you can. You never know which RSA Conference will be your last… Photo credit: “Survivor Finale” originally uploaded by Kristin Dos Santos Securosis Firestarter Have you checked out our new video podcast? Basically Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep to less than 15 minutes and usually fail. Feb 17 – Payment Madness Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom Jan 27 – Government Influence Jan 20 – Target and Antivirus Jan 13 – Crisis Communications 2014 RSA Conference Guide We’re at it again. For the fifth year we are putting together a comprehensive guide to want you need to know if you will be in San Francisco for the RSA Conference at the end of February. The full guide (with tons of memes and other humor that doesn’t translate to the blog) will be available later today. We will also be recording a special Firestarter video on Thursday, since you obviously can’t get enough of our mugs. Look for that on Friday… Key Themes Watch List: DevOps Key Theme: Cloud Everything Key Theme: Crypto and Data Protection Key Theme: Retailer Breaches Key Theme: Big Data Security Key Theme: APT0 Deep Dives Data Security Cloud Security Endpoint Security Identity and Access Management Security Management and Compliance Application Security Network Security And don’t forget to register for the Disaster Recovery Breakfast, 8-11am Thursday, at Jillian’s. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. The Future of Information Security Implications for Cloud Providers Implications for Security Vendors What it means (Part 3) Six Trends Changing the Face of Security A Disruptive Collision Introduction Leveraging Threat Intelligence in Security Monitoring Quick Wins with TISM The Threat Intelligence + Security Monitoring Process Revisiting Security Monitoring Benefiting from the Misfortune of Others Advanced Endpoint and Server Protection Prevention Assessment Introduction Newly Published Papers Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing What CISOs Need to Know about Cloud Computing Defending Against Application Denial of Service Security Awareness Training Evolution Firewall Management Essentials Incite 4 U Call it the Llama Clause: Just to get you in the RSA Conference state of mind, check out this great post from the Denim Group folks who are just learning about the nuances of exhibiting at RSA. Yup, there is a “no animals” restriction. Turns out not only can’t you bring a llama, you can’t bring a rhino either. Which is a bummer because a live rhino would be second only to Nir Zuk as booth catnip. You also can’t have loud noises or bad odors. Neither of which seems to be restricted at DEFCON. Apparently they also have a booth babe clause, or at least the right to ban folks unprofessionally or objectionably dressed. By the way, that would seem to be a bit of a subjective measure, no? For those attendees who don’t

Share:
Read Post

Join the Securosis Firestarter Happy Hour: RSA Edition

When we started the FireStarter we also decided to try a quarterly (or whenever convenient) extended edition that breaks out of our usual 15-minute time limit. We will be recording the very first of these this Thursday at 5pm ET. As usual, we will use Google Hangouts, and I have scheduled it so it shows up on the Securosis page. You can also watch live on YouTube. We will take questions and comments using the Hangouts On Air Q&A tool, and because Google doesn’t like anonymous comments on YouTube any more, we will keep an eye on Twitter (don’t forget – there is a bit of a delay). There will be beer, and you’ll get to see my home tiki bar. Share:

Share:
Read Post

Firestarter: Payment Madness

This is our last regular Firestarter before we record our pre-RSA Quarterly Happy Hour. This week, after a few non-sequiturs, we talk about the madness of payment systems. It seems the US is headed towards chip and signature, not chip and PIN like the rest of the world, because banks think American are too stupid to remember a second PIN. Share:

Share:
Read Post

RSA Conference Guide 2014 Deep Dive: Data Security

It is possible that 2014 will be the death of data security. Not only because we analysts can’t go long without proclaiming a vibrant market dead, but also thanks to cloud and mobile devices. You see, data security is far from dead, but is is increasingly difficult to talk about outside the context of cloud, mobile, or… er… Snowden. Oh yeah, and the NSA – we cannot forget them. Organizations have always been worried about protecting their data, kind of like the way everyone worries about flossing. You get motivated for a few days after the most recent root canal, but you somehow forget to buy new floss after you use up the free sample from the dentist. But if you get 80 cavities per year, and all your friends get cavities and walk complaining of severe pain, it might be time for a change. Buy us or the NSA will sniff all your Snowden We covered this under key themes, but the biggest data security push on the marketing side is going after one headlines from two different angles: Protect your stuff from the NSA. Protect your stuff from the guy who leaked all that stuff about the NSA. Before you get wrapped up in this spin cycle, ask yourself whether your threat model really includes defending yourself from a nation-state with an infinite budget, or if you want to consider the kind of internal lockdown that the NSA and other intelligence agencies skew towards. Some of you seriously need to consider these scenarios, but those folks are definitely rare. If you care about these things, start with defenses against advanced malware, encrypt everything on the network, and look heavily at File Activity Monitoring, Database Activity Monitoring, and other server-side tools to audit data usage. Endpoint tools can help but will miss huge swaths of attacks. Really, most of what you will see on this topic at the show is hype. Especially DRM (with the exception of some of the mobile stuff) and “encrypt all your files” because, you know, your employees have access to them already. Mobile isn’t all bad We talked about BYOD last year, and it is still clearly a big trend this year. But a funny thing is happening – Apple now provides rather extensive (but definitely not perfect) data security. Fortunately Android is still a complete disaster. The key is to understand that iOS is more secure, even though you have less direct control. Android you can control more visibly, but its data security is years behind iOS, and Android device fragmentation makes it even worse. (For more on iOS, check out our a deep dive on iOS 7 data security. I suppose some of you Canadians are still on BlackBerry, and those are pretty solid. For data security on mobile, split your thinking into MDM as the hook, and something else as the answer. MDM allows you to get what you need on the device. What exactly that is depends on your needs, but for now container apps are popular – especially cross-platform ones. Focus on container systems as close to the native device experience as possible, and match your employee workflows. If you make it hard on employees, or force them into apps that look like they were programmed in Atari BASIC (yep, I used it) and they will quickly find a way around you. And keep a close eye on iOS 7 – we expect Apple to close its last couple holes soon, and then you will be able to use nearly any app in the App Store securely. Cloud cloud cloud cloud cloud… and a Coke! Yes, we talk about cloud a lot. And yes, data security concerns are one of the biggest obstacles to cloud deployments. On the upside, there are a lot of legitimate options now. For Infrastructure as a Service look at volume encryption. For Platform as a Service, either encrypt before you send it to the cloud (again, you will see products on the show floor for this) or go with a provider who supports management of your own keys (only a couple of those, for now). For Software as a Service you can encrypt some of what you send these services, but you really need to keep it granular and ask hard questions about how they work. If they ask you to sign an NDA first, our usual warnings apply. We have looked hard at some of these tools, and used correctly they can really help wipe out compliance issues. Because we all know compliance is the reason you need to encrypt in cloud. Big data, big budget Expect to see much more discussion of big data security. Big data is a very useful tool when the technology fits, but the base platforms include almost no security. Look for encryption tools that work in distributed nodes, good access management and auditing tools for the application/analysis layer, and data masking. We have seen some tools that look like they can help but they aren’t necessarily cheap, and we are on the early edge of deployment. In other words it looks good on paper but we don’t yet have enough data points to know how effective it is. Share:

Share:
Read Post

RSA Conference Guide 2014 Deep Dive: Endpoint Security

We are in the home stretch, with only a few more deep dives to post. EPP: Living on Borrowed Time? Every year we take a step back and wonder if this is the year customers will finally revolt against endpoint protection suites and shift en masse to something free, or one of the new technologies focused on preventing advanced attacks. It is so easy to forget how important inertia is to security buying cycles. Combined with the continued (ridiculous) PCI mandate for ‘anti-malware’ (whatever that means), the AV vendors continue to print money. Our friends at 451 Group illustrate this with a recent survey. A whopping 5% of respondents are reducing their antivirus budget, while 13% are actually increasing the budget. Uh, what?!?! Most are maintaining the status quo, so you will see the usual AV suspects with their big RSA Conference booths, paid for by inertia and the PCI Security Standards Council. Sometimes it would be great to have a neutron cluebat to show the mass market the futility of old-school AV… Don’t Call It a Sandbox The big AV vendors cannot afford to kill their golden goose, so innovation is unlikely to come from them. The good news is that there are plenty of companies taking different approaches to detection at the endpoint and server. Some look at file analysis, others have innovative heuristics, and you will also see isolation technologies on the floor. Don’t forget old-school application control, which is making a comeback on the back of Windows XP’s end of life, and the fact that servers and fixed function devices should be totally locked down. We expect isolation vendors to make the most noise at the RSA Conference. Their approach is to isolate vulnerable programs (including Java, browsers, and/or Office suites) from the rest of the device so malware can’t access the file system or other resources to further compromise the device. Whether isolation is via virtualization, VDI, old-school terminal services, or newfangled endpoint isolation (either at the app or kernel level), it is all about accepting that you cannot stop infection, so you need to make sure malware can’t get to anything interesting on the device. These technologies are promising but not yet mature. We have heard of very few large-scale implementations but we need to do something different, so we are watching these technologies closely, and you should too. The Rise of the Endpoint Monitors As we described in the introduction to our Advanced Endpoint and Server Protection series, we are seeing a shift in budget from predominately prevention to detection and investigation functions. This is a great thing in light of the fact that you cannot stop all attacks. At the show we will see a lot of activity around endpoint forensics, driven by hype over the recent FireEye/Mandiant and Bit9/Carbon Black deals, bringing this technology into the spotlight. But there is a bigger theme – what we call “Endpoint Activity Monitoring”. It involves storing very detailed historical endpoint (and server) telemetry, and then searching for indicators of compromise in hopes of identifying new attacks that evade the preventative controls. This allows you to find compromised devices even if they are dormant. Of course if isolation is immature technology, endpoint activity monitoring is embryonic. There are a bunch of different approaches to storing that data, so you will hear vendors poking each other about whether they store on-site or in the cloud. They also have different approaches to analyzing that massive amount of data. But all these technical things obscure the real issue: whether these technologies can scale. This is another technology to keep an eye on at the show. Endpoints and Network: BFF The other side of the coin discussed in our Network Security deep dive is that endpoint solutions to prevent and detect advanced malware need to work with network stuff. The sooner an attack can be either blocked or detected, the better, so being able to do some prevention/detection on the network is key. This interoperability is also important because running a full-on malware analysis environment on every endpoint is inefficient. Being able to have an endpoint or server agent send a file either to an on-premise network-based sandbox or a cloud-based analysis engine provides a better means of determining how malicious the file really is. Of course this malware analysis doesn’t happen in real time, and you usually cannot wait for a verdict from off-device analysis before allowing the file to execute on the device. So devices will still get popped but technology like endpoint activity monitoring, described above, gives you the ability to search for devices that have been pwned using a profile of the malware from analysis engines. Mobile? Most MDM vendors have been bought, so managing these devices is pretty much commodity technology now. Every endpoint protection vendor has a mobile offering they are bundling into their suite. But nobody seems to care. It’s not that these products aren’t selling. They are flying off the virtual shelves, but they are simply not exciting. And if it’s not exciting you won’t hear much about it at the conference. Some new startups will be introducing technologies like mobile IPS, but it just seems like yesterday’s approach to a problem that requires thinking differently. Maybe these folks should check out Rich’s work on protecting iOS, which gets down to the real issue: the data. It seems like the year of mobile malware is coming – right behind the year of PKI. Not that mobile malware doesn’t exist, but it’s not having enough impact to fire the industry up. Which means it will be a no-show at the big show. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.