- How do I really know what I am vulnerable to?
- What is my security posture against real-world attackers?
- Why should I spend money on information security? What happened with all the money I already spent? How much more secure am I now?
- How do I make my security staff more effective, efficient and improve their team and personal abilities and knowledge?
- How do I increase the security awareness of my users?
- What did I overlook in my security strategy?
- How do I bake-in security and make it sustainable over time instead of smearing it on my current infrastructure and business, which by the way might change substantially in 1, 2, 5, 10 years?
For many years OpenBSD has been the most secure general purpose operating system. It is also free and open-source, which are additional advantages. Many others, both commercial and free, are quickly catching up. But if I had to choose today, from a purely security perspective. I would say that OpenBSD is still the king of the hill.
What are the good and bad things of full disclosure of vulnerabilities?
To me, full disclosure of vulnerabilities is just a tool that can be used for good or evil. It is the USE of that tool by specific individuals or organizations that should be judged, rather than the concept itself.
If used properly, full disclosure will get bugs fixed, will help explain the mechanics of security vulnerabilities and their importance, and ultimately WILL help to reduce the overall risk vulnerabilities pose.
If used improperly, full disclosure will get bugs fixed, will help explain the mechanics of security vulnerabilities and their importance, but ultimately WILL NOT help to reduce the overall risk vulnerabilities pose.
However no disclosure or 'secret' disclosure of vulnerabilities has never been proven as a bullet-proof method to get bugs fixed and reduce risk.
So, using this full disclosure tool might be harmful. But NOT using it IS DEFINITELY harmful! So, I do not really see much of a choice.
How much disclosure constitutes full disclosure is a matter of controversy as well, and I do not think one can generalize here. At Core we deal with these issues on a case-by-case basis and try to put forth our best efforts and leverage our extensive experience to work towards minimizing risks.
Name your top five security tools?
vi : The popular UNIX file editor.
I really enjoy reading source code, and I not only look for security bugs but I also try to understand the author's mind and heart as expressed by his or her code.
Simple, elegant, clearly conceived and implemented code with cleaver techniques is generally also secure code. A simple file editor and enough time on your hands is the best security tool in existence.
You can inspect other people's code and find bugs, sometimes you can fix the bugs yourself or you can even code your own software that matches your own security standards.
CORE IMPACT : The penetration testing solution
Next in my favorites list. It never ceases to amaze me the amount of knowledge and security expertise poured into this product - and yet it is usable by any regular guy. Besides all the commercial justifications for a product like this - which I shouldn't be so blatantly promoting :), it gives me a great tool to learn and try new things and ideas that otherwise I would not have had the time to do.
Snort : The network Intrusion Detection System
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.