Mark Curphys starting a series of posts on application security review scoping, which should be interesting reading (although I imagine it may annoy some people in the industry ;o) )
In this one looking at the business aspects I particularly liked the bit about "Bling Bling or Bang Bang" It's true to say that in a lot of cases the money spent getting consultants to write up reports could be better spent elsewhere, especially in cases where an internal team will be refomatting the output before presenting it to the business.
Also like some other people in the industry (Marcus Ranum being an example) Mark seems to have a flair for analogies. drawing the analogy from security assessment companies to the food industry was in many ways bang on.
There are "Chefs" out there, where you specifically want their services, not just those of the company they work for. That said I'm not sure any of the companies out there will want to be associated with being "food chains" !
TaoSecurity: Marcus Ranum Highlights from USENIX Class
There's some very good points here in TaoSecuritys summary of a Marcus Ranum session at Usenix.
I've not seen the original talk but the summary makes me wish I'd been there.
The point on the perimeter being a complexity management tool is very well made in reference to de-perimeterization. It's all very well saying that each individual device needs to be able to stand alone from a security perspective but it's still a lot easier to manage the security of the wider environment when you've got some control over what can get in at all, and the perimeter can and does provide that.
The points about quantification problems seem to have provoked a response from Alex . I actually think having seen these arguments come up repeatedly on blogs and on the CISSP forum and also having started reading "Security Metrics" by Andrew Jaquaith, that there's less distance between the people who are strong proponents of quantitative analysis and those who are proponents of qualitative analysis. One thing that has struck me in these debates is when you look at the examples on both sides they tend to be in different areas of security.
My feeling is that there needs to be a mix of the two styles depending on where they're most appropriate, but I'll reserve expanding on that till I've sorted my thoughts on the matter out better as it's a bit of a minefield...
Rational Security: On-Demand SaaS Vendors Able to Secure Assets Better than Customers?
An interesting post from Hoff on whether having data with SaaS vendors may leave you more or less secure overall.
I've had a couple of experiences of this over the years and I'll say that generally where I'm seeing data hosted out of the company using SaaS I tend to get less of a feeling of security rather than more.
A couple of reasons for this. Using SaaS adds complexity to areas like leavers/movers/starters procedures as there's another notification point for these, and as we know most companies aren't perfect at leavers policies, so you can introduce risks that people who have left can still get access to company data.
Also there's no really good way to easily assure the 3rd parties security. As Hoff alludes to, a lot of companies think SAS70 == Security, which just ain't the case (although it can be useful for getting assurance over the performance of some security related procedures). So you're left with either engaging in a lengthy assurance process which probably isn't practical if you have a lot of SaaS vendors, or relying on a combination of Pen Test/SAS 70/contract.
Of course, this is complicated even more where the SaaS vendor outsources some of their functions like site hosting, as then you have hierarchies of trust with each agent having similar difficulties in trying to assure the security of the companies they rely on.
Black Hat 2007 Multimedia - Presentation, Audio and Video Archives
Blackhat US 2007 presentation are up on the site now, great news for those of us not lucky enough to have been there, we can get some more details on all the interesting ideas talked about.
Came across a tool that should help make light work of the research phase of a penetration test today. Paterva Evolution.
Essentially seem to be a nice graphical way of establishing connections related to a specific resource. So for example, any email addresses that are findable relating to a given domain name.
Of course that kind of research can be done manually, but this is an awful lot slicker!