Cybersecurity

An open letter to all anti-virus software makers: February 2, 2006 Dear Antivirus Industry, Why are you so addicted to the term “blended threat”? It seems to mean something special to you… but it means nothing to anybody else.

Yankee Group research may not be as well-subscribed as say, Gartner’s, but I like to think that it compares favorably with it. Earlier this year I wrote a research note titled Fear and Loathing in Las Vegas: the Hackers Turn Pro about the increasing number of vulnerabilities found in security products.

Many readers know that my day job is as a security technology analyst for Yankee Group. Well, it’s about that time of year where we start to wind down our research calendar.

Just saw the very funny Devil’s InfoSec Dictionary on the CSO site. Of course, I had to add a few definitions of my own: Blended threat: a hemlock smoothie Process, Security Is A: a throw-away line that explains why security measurement is impossible Risk management: a repeated process around the Hamster Wheel of Pain that vendors use to enumerate vulnerabilities you didn’t know you had, followed by serial remediation of same.

I hate to be a curmudgeon about this, but this fellow needs a beat-down: Fixing AJAX: XmlHttpRequest Considered Harmful I offer this as exhibit A (as in AJAX) about why application security may well be intractable, in part because we’ve got mainstream technical outlets teaching techniques to evade well-founded security principles.

The folks at the NY Times have put together a nifty interactive graphic that diagrams the various data breach cases that have been disclosed since January.