January 22, 2007 - Volume 2, #12
Good Morning {!firstname}:
Hi, I'm Mike and I'm an addict. For those of you that have read the Pragmatic CSO introduction or the full Monty, you know that's how every chapter starts. Though I am not addicted to the status quo of battling security and buying security products (like you probably are), I am addicted to live comedy. The boss and I went to see Roz [1] (from Last Comic Standing) and she put on one of the best comedy shows I've ever seen, including eviscerating a drunk girl in the front. Though I doubt this addiction will require a 12-step program or an intervention. Laughter is a wonderful diversion from our daily grind.
Let's focus on application security today, since it remains one of the biggest problems we security folk face. I just love when mainstream tech media make pronouncements that are so obvious, yet so ridiculous (here [1]). It's not like we security folks don't know how to fix the secure applications conundrum, but doing it is totally another ballgame. But whatever, as long as security remains part of the discussion, that's a good thing. I also highlight the grand entrance of Veracode onto the scene (here [1]). Driven by some smart dudes, but with a different business model - basically not teaching the man to fish, but fishing for them. With the fish being application security errors. It'll be interesting to see if they can gain any traction.
Continuing our application security focus in blog-land, Jeremiah makes the point about the hazards of chasing the low hanging fruit (here [1]). Though usually a good approach, given that eliminating the last 10% of issues tends to cost 4 times as much, when you are talking about critical business systems (read the P-CSO if you aren't clear about what those are) no stone can be left unturned. And Schneier brings up the old liability card (here [1]) as well. He's written about this before, but until there is some kind of legal precedent establishing the liability of the software maker, forget it. No one is going to volunteer to accept liability, given the litigious nature of the tort vultures here in the US.
Have a great day.
Technorati: Information Security [2], CSO [3]
 [4] | The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [5] |
Top Security News
http://blogs.zdnet.com/BTL/?p=4280 [6]
Link to this [6]
http://www.darkreading.com/document.asp?doc_id=114615 [7]
Link to this [7]
http://www.networkworld.com/news/2007/010907-veracode-security-evaluations.html [8]
Link to this [8]
http://news.yahoo.com/s/infoworld/20070117/tc_infoworld/85188_1 [9]
Link to this [9]
Top Blog Postings
http://jeremiahgrossman.blogspot.com/2007/01/dr.html
[10]Link to this [10]
http://www.schneier.com/blog/archives/2007/01/information_sec_1.html
[11]Link to this [11]
http://datasecurity.wordpress.com/2007/01/22/roi-of-pci-compliance/
[12]Link to this [12]
http://technobabylon.typepad.com/tb/2007/01/4_questions_to_.html
[13]Link to this [13]