Flaw finders are packaging their efforts into slick month-of bug projects. But are we more secure for it?
As this industry matures, even the bug finders are getting a little slick. They've taken a few pages from the vendors' playbook and recently productized their findings--packaging and launching them in what they've called "month-of" projects. It all started last summer with the month of the browser bugs, followed by the month of kernel bugs and the month of Apple bugs. It sounds like a good idea on paper. You force the hand of vendors to fix known bugs. But the vendors are inundated with bugs (unfortunately) and haven't seemed to react to these tactics. Instead the month-of projects are just giving hackers easier access to information.
Next I want to highlight a story that was driven by our editorial advisory board. Since many members work at multinational organizations, our board asked for more information on global security and privacy regulations. And rightly so. It doesn't get more confusing than the raft of global regulations that security professionals have to decipher. In the U.S., we have 34--and counting--state disclosure laws but no federal law. Nine U.S agencies have privacy regulations and enforcement authority. In Europe, there are 46 countries with privacy laws. In Asia Pacific, there is yet another set of guidelines that have privacy mandates that overlap with the U.S. and Europe. Then one fact that made me shudder: The three primary countries where most corporations outsource--China, India and the Philippines--have no data protection laws at all. Should a breach occur with one of your outsourcers in India, for instance, you have far less leverage to prosecute. To help you understand the global regulations today go and read Jody R. Westby's article, "Going Global."
We have another article that we hope will help you see the forest through the trees. "Security Blueprint" explains how some of your peers have formalized a security architecture to help with the evolving nature of threats.
Lastly, we are starting the year on a very somber note. Two noted security luminaries, Robert Garigue and Bill Hancock, unexpectedly passed away last month.
Robert graced our cover in October as a Security 7 winner. As former CISO of the Bank of Montreal and most recently chief security executive of Bell Canada, Garigue, 55, was a rare combination of practitioner and scholar. As colleagues look back on his accomplishments the word "inspiring" comes up over and over again. I was lucky enough to have the opportunity to meet him and I would add to those descriptions: insightful. And despite his many accomplishments he was grounded and humble.
Bill Hancock, known as Dr. Bill by many in the industry, passed away at the age of 49. He was a well-known security personality as he was a frequent speaker at many events. He was also involved in many industry-wide projects such as the Internet Security Alliance, a non-profit collaboration between the Electronic Industries Alliance and Carnegie Mellon University's Cylab. Both made their mark on this industry and will be sorely missed. Our thoughts and prayers are with their families and friends.