Forwarded from: security curmudgeon <jericho (at) attrition.org> : http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=207100989 : : By Rob Preston : InformationWeek : April 12, 2008 : (From the April 14, 2008 issue) : : Last year, RSA chief Art Coviello championed industry consolidation, : arguing that as a handful of major vendors (EMC, Cisco, IBM, : Microsoft) built security into their infrastructure platforms, : standalone security challengers would fall by the wayside--all within : three years. "If I'm proven wrong about the timing," Coviello said : last year, "I won't be proven wrong in the need for this." The likes : of Symantec and McAfee begged to differ, and the industry continues to : debate the strengths and weaknesses of all-in-one security : architectures. I think Mr. Coviello should also champion "all hackers laying down their virtual weapons" as it is probably just as likely to happen as vendors like Cisco or IBM eliminating simple vulnerabilities (let alone the complex ones). IBM is still having problems with simple buffer overflows: 2008-03-11 - IBM AIX reboot Local Overflow http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1601 Cisco is still using default accounts and passwords: 2008-01-23 - Cisco Application Velocity System (AVS) System Accounts Default Password http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0029 RSA still can't properly enforce a blacklist: 2008-03-17 - RSA SecurID WebID RSA Authentication Agent (IISWebAgentIF.dll) postdata Variable Blacklist Bypass http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1470 When companies can get over the small hurdles, then perhaps we can tackle the bigger issues and shoot for three year time frames. : More than 80% of the IT, security, and business executives RSA : recently surveyed with IDC "admit that their organizations have shied : away from business innovation opportunities because of information : security concerns," Coviello told the RSA audience. The main : challenge: Move the internal conversation about security away from : fear mongering and worst-case scenarios toward how security can : augment new products and services. Or at least don't get in the way. : It's tantamount to the security pro's Hippocratic oath: First, do no : harm. Move away from fear-mongering, but RSA proudly lists Ira "I can steal a billion dollars from any company" Winkler as a blogger. Good start! -==- Let identityLoveSock take your personal information into their wanting hands. http://www.identity-love-sock.com/ Because victims have money too.
This archive was generated by hypermail 2.1.3 : Tue Apr 15 2008 - 00:46:39 PDT