Managing your risks sounds rather cryptic and to many it is. It is about recognizing the value of what you have, the costs to protect it, and the risks of bad things happening. Examine the insurance industry. They manage to stay in business despite the constant onslaught of floods, hurricanes, tornadoes, earthquakes, and other disasters.
Based on your experiences, do you find proprietary software or open source software to be more secure?
Neither. The vulnerability mailing lists are filled with reports for both open source and proprietary software. The problems of poor design, unsafe coding practices, and complexity are not limited to any one philosophy of software production. The philosophy gives no information on the diligence of either the product design, coding practices, or general quality levels.
The risk or security of software is measured by the amount of peer review that software has had. An unknown piece of software is deemed suspect until proven innocent by usage. I believe that open source software has the advantage here by its community at large vetting process versus private audits that the proprietary software is limited to.
What do you think about the full disclosure of vulnerabilities?
I am in favor of it. Only by studing past failures can we mitigate future ones. Of course, this requires an environment where people may learn and apply the past lessons. I do think that the discovers of a vulnerability should notify vendors discretely before posting details. The key point should be getting the vulnerability fixed and systems patched not about giving script kiddies another exploit.
What are your plans for the future? Any exciting new projects?
I am currently enjoying the celebrity lifestyle of a security author. :) My current project is to spend time with those close to me.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.