Wanted to post my highlights of the RSA show. Rich and I meant to post daily updates about our experiences during the show, but we were quite literally in meetings or gatherings from 8:30 AM until we went to bed each night. No chance of writing and posting from a secure connection. I have a stack of 70+ business cards sitting here on my desk, and I gave out almost all of the 200 I brought with me. I can barely remember talking to that many people over the course of the week.
Hey folks,
Just a quick note that we had a few people ask if we were going to hold a meeting on Project Quant out here at RSA.
The big news at Securosis this week was the launching of Project Quant! Not only are we excited about working with some of the team members at Microsoft, but we are going to be really pushing the boundaries of our Totally Transparent Research process. Rich has been furiously setting up the infrastructure all week to support the public discourse for the project, and he just got it finished in time for launch. We are grateful that there is a ton of interest out there as we have been getting…
Yesterday, our friends over at Marker Advisors shared some information on what they see on the financial side of the IT security world. Today they follow up with a brief conclusion about how this is playing out.
When I first started Securosis I was a little surprised at the number of due diligence and other investor-related projects that started flowing through the door. At Gartner we couldn’t engage in these kinds of projects (for some very good reasons), but being independent allowed me more flexibility. Since then we’ve continued to work closely with a variety of investment partners and clients.
eWeek is reporting that Avinti is being acquired by Marshal8e6 this week. There has not been a lot of news in this sector of late, but this one is a little different, so what exactly do we have here? A web security appliance vendor merged with an email security software vendor, buying another vendor who leverages virtual environments to isolate code behavior. Marshal8e6 is the recent merger of the Mail Marshal email security guys with 8e6, the web security firm. Avinti provides a sort of…
Really excellent article by Kim Zetter on the Wired Threat Level site in regards to “PIN cracking”, and some of the techniques being employed to gather large amounts of consumer financial data. I know Rich referenced this post earlier today, but since I already wrote about it and have a few other points I think should be mentioned, hopefully you will not mind the duplicated reference.
We spend a lot of time talking about security metrics over here, and I’ve been pretty critical of both overly-broad initiatives that don’t help people get their day to day jobs done, and “fluffy” models that try to put hard numbers on risks/threats and such. Well, it looks like it’s time for me to put up or shut up.
Oracle released the April 2009 Critical Patch Update; a couple serious issues are addressed with the database, and a couple more that concern web application developers.
For the database server, there are two vulnerabilities that can be remotely exploited without user credentials. As is typical, some of information that would help provide enough understanding or insight to devise a workaround is absent, but a couple are serious enough that you really do need to patch, and I will forgo a zombie…
This is a great day for security researchers, and a bad day for anyone with a bank account.
First up is the release of the 2009 Verizon Data Breach Investigations Report. This is now officially my favorite breach metrics source, and it’s chock full of incredibly valuable information. I love the report because it’s not based on bullshit surveys, but on real incident investigations. The results are slowly spreading throughout the blogosphere, and we won’t copy them all here, but a few highlights: