Interview with Ivan Arce, CTO of Core Security Technologies
by Berislav Kucan - Thursday, 29 May 2003
CORE FORCE is a comprehensive security solution for workstations which are, from a security standpoint, the most overlooked component in an organizations IT infrastructure. CORE FORCE has not been officially released yet at our lab we are actively working in application sandboxing, file system and registry access control mechanisms and network firewalling capabilities for WinNT, Win2k and WinXP based workstations using it.

Your Company is VISA-CISP certified. What are the benefits from this certification?

CORE is one of the very few companies worldwide that is certified by VISA to determine if an organization meets the VISA Cardholder Information Security Program. This program defines VISA's standard of due care and enforcement of protection mechanisms of customer's sensitive information.

Compliance with CISP is a mandatory requirement from VISA for its online merchants. Benefits of achieving the certification are both direct, such as being able to operate an e-commerce initiative within defined security standards, and perceived, such as providing a greater level of confidence and assurance to customers with respect to their sensitive information and the security of their transactions.

What security concerns dominate with your clients?
  • How do I really know what I am vulnerable to?
  • What is my security posture against real-world attackers?
  • Why should I spend money on information security? What happened with all the money I already spent? How much more secure am I now?
  • How do I make my security staff more effective, efficient and improve their team and personal abilities and knowledge?
  • How do I increase the security awareness of my users?
  • What did I overlook in my security strategy?
  • How do I bake-in security and make it sustainable over time instead of smearing it on my current infrastructure and business, which by the way might change substantially in 1, 2, 5, 10 years?
In your opinion, what operating system is better, when taking a look from the security perspective?

For many years OpenBSD has been the most secure general purpose operating system. It is also free and open-source, which are additional advantages. Many others, both commercial and free, are quickly catching up. But if I had to choose today, from a purely security perspective. I would say that OpenBSD is still the king of the hill.

What are the good and bad things of full disclosure of vulnerabilities?

To me, full disclosure of vulnerabilities is just a tool that can be used for good or evil. It is the USE of that tool by specific individuals or organizations that should be judged, rather than the concept itself.

If used properly, full disclosure will get bugs fixed, will help explain the mechanics of security vulnerabilities and their importance, and ultimately WILL help to reduce the overall risk vulnerabilities pose.

If used improperly, full disclosure will get bugs fixed, will help explain the mechanics of security vulnerabilities and their importance, but ultimately WILL NOT help to reduce the overall risk vulnerabilities pose.

However no disclosure or 'secret' disclosure of vulnerabilities has never been proven as a bullet-proof method to get bugs fixed and reduce risk.

So, using this full disclosure tool might be harmful. But NOT using it IS DEFINITELY harmful! So, I do not really see much of a choice.

How much disclosure constitutes full disclosure is a matter of controversy as well, and I do not think one can generalize here. At Core we deal with these issues on a case-by-case basis and try to put forth our best efforts and leverage our extensive experience to work towards minimizing risks.

Name your top five security tools?

vi : The popular UNIX file editor.

I really enjoy reading source code, and I not only look for security bugs but I also try to understand the author's mind and heart as expressed by his or her code.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th