I see these services as a very useful component to enforce security in organizations that lack the will, focus, expertise or resources to do so in-house. I usually refer to these as automated vulnerability *scanning* services, which is quite different than an assessment. The later implies that the provider understands the risks associated with each vulnerability and how they apply to the particular organization being scanned. This in turn implies a somewhat deeper understanding of its business model and processes, IT infrastructure and human resources. So, in that sense it is not a very scalable or automatable service. But it is definitely a useful one.

However, a common mistake is to think that if you contract an automated vulnerability scanning service you will offload the infosecurity chores from your staff. Well that is the case if you don't plan to act upon the results of the scans (a bad idea!). But if you do plan to act on the results, then you will face the patch management and distribution problem, which could also be automated, and this means having to decide what to patch and when - and that decision can not be automated without an in-depth understanding of your organization. So, overall a vulnerability scanning service can be of great help to your security if you understand what is the best use for it in your organization.

Wireless networks are more and more replacing the current wired networks. What do you think about the current state of wireless security?

It is very close to non-existent. Wireless security is a very immature field and current solutions are at best 'weak'. I would expect substantial improvements in the next few years. I am an optimist, I believe in people, even scientists, engineers and businessmen are able to learn from past errors and avoid repeating them. :)


What security related books can you suggest to our visitors?

• "Security Engineering: A Guide to Building Dependable Distributed Systems" by Ross J. Anderson
• "Building Secure Software: How to Avoid Security Problems the Right Way" by John Viega, Gary McGraw
• "Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community" by The Honeynet Project (Lance Spitzner et. al.)
• "Honeypots: Tracking Hackers" by Lance Spitzner
• "Computer Security: Art and Science" by Matt Bishop

And certainly the collection of Early Computer Security papers at http://csrc.nist.gov/publications/history/

What should we expect from Core Security Technologies in the future?

You should expect Core Security Technologies to continue providing world-class security expertise in our CORE IMPACT product and our consulting services. CORE IMPACT 4.0 is due out in Q3 2003 and will have some amazing new capabilities.

And we have many other things up our sleeve.