Akshay on the business of security : Security

Response to InfoSec X Prize Part 1

Akshay Aggarwal — Fri, 06 Mar 2009 20:11:00 GMT

So I’ve been quite amazed by the amount of discussion and feedback i have received from colleagues and peers on my original post on creating fundamental change through competition. I will be posting some of the written replies that I received and which...(read more)

Baking Security In: A Comic Strip View of SDL

Akshay Aggarwal — Fri, 20 Feb 2009 21:07:00 GMT

So how do you t ake your average developer who scoffs at security from the careless and brash aka Kevin, to the poster child for good development practices aka Kevlarr. Well, the Microsoft SDL team has the answer for you. The team recently...(read more)

Microsoft IT Solutions: Full Drive Encryption using BitLocker

Akshay Aggarwal — Tue, 10 Feb 2009 21:01:00 GMT

One of the challenges that I have been focusing my team on this fiscal year has been creating new solutions that leverage the learning that Microsoft IT has had in deploying technology or solving problems. Microsoft IT generally has to deploy new technologies...(read more)

Note to Fannie Mae: Dealing with Logic Bombs

Akshay Aggarwal — Tue, 03 Feb 2009 22:05:00 GMT

Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for...(read more)

The InfoSec X Prize: Fundamental Change Through Competition

Akshay Aggarwal — Fri, 23 Jan 2009 01:06:34 GMT

Today I had a thought provoking conversation with Dr. Peter Diamandis , Chairman and CEO of Zero Gravity Corporation & X Prize Foundation, on radical & fundamental change. Change that advances the status quo rather than relying on incremental...(read more)

Meter This: Practical Application Of Power drain Attack

Akshay Aggarwal — Sat, 26 Jul 2008 00:47:53 GMT

Last week while feeding my caffeine addiction I came across an article in the New York Times titled Can’t Find a Parking Spot? Check Smartphone . In order to reduce traffic congestion and fuel consumption, the city of San Francisco is implementing a new...(read more)

My BlueHat Talk

Akshay Aggarwal — Tue, 15 Jul 2008 23:08:27 GMT

Just got word that my talk Suddenly Psychic: Knowing everything about everyone was accepted at Microsoft's BlueHat Security Conference on October 16-17th. Sometimes when you go blue... you really go blue. Over the course of the next few months my buddy...(read more)

Towards enabling secure infrastructure outsourcing

Akshay Aggarwal — Mon, 14 Jul 2008 18:29:58 GMT

Many enterprise customers are increasingly evaluating the benefits of infrastructure outsourcing (ITO) to their businesses. In the past year, several CIOs have expressed concerns around the impact to the security and privacy of digital assets resulting...(read more)

Application Security development Lifecycle 4: Finding the right security talent

Akshay Aggarwal — Sun, 01 Jun 2008 22:45:00 GMT

After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, " Great!! Now where do I find another 20 people like these?" (pointing to my team)... I thought about it a while and...(read more)

How Microsoft IT does Secure Application Development: Webcast

Akshay Aggarwal — Tue, 27 May 2008 19:20:00 GMT

Technorati Tags: Conference , SDLC , SDL , IT , ISV I will be discussing Microsoft IT's approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th....(read more)

Increase the TCO, kill the project: An ad-hoc analogy

Akshay Aggarwal — Wed, 14 May 2008 19:07:00 GMT

The other day I was subject to the assertion that the only asset an IT security organizations should care about is data. Now being in the application security business, I should have been jumping at this validation but couldn't. The IT security org needs...(read more)

Application Security Development Lifecycle 3: Funding Models

Akshay Aggarwal — Thu, 08 May 2008 21:48:09 GMT

Now that you've decided (or battled) to set up an application security program you realize that it actually needs to get funded. You must master the art of delicately drinking from the fire hydrant of line of business applications. In my experience helping...(read more)

Application Security Development Lifecycle 2: Mandatory or Not?

Akshay Aggarwal — Tue, 22 Apr 2008 10:36:21 GMT

Large enterprises tend to have a number of line of business (LOB) applications supporting business operations. It becomes key for an application security program to help the organization manage the risk posed by each of these applications. Applications...(read more)

Fear and Loathing in Las Vegas: The Hackers Turn Pro

Akshay Aggarwal — Mon, 01 Oct 2007 12:14:57 GMT

A great analysis by the Yankee group on the security posture of products from security vendors. A very interesting read.

Two key factors contribute to the growth of the underground vulnerability economy: historical and chronic weaknesses in the monopoly desktop operating system, Microsoft Windows; and the adolescent enthusiasm of vulnerability researchers continually trying to one-up each other.
Three years into its largely customer-imposed security push, Microsoft flaws continue to flow—but at a significantly decreased rate. Yankee Group analysis of a well-known public vulnerability data source, ICAT, suggests that flaw finders have shifted their focus toward security products.
From 2004 to May 2005 in particular, 77 disclosed vulnerabilities affected a wide array of security products. The incidents increased far faster than the rate for Microsoft (see Exhibit 1). When considering the number of affected products rather than just the number of distinct vulnerabilities, the rate of increase was as fast as that of the industry as a whole. Yankee Group believes this is because of three factors:
· Diminishing returns in operating systems: Security researchers focusing on Windows may have largely depleted the supply of the most easily exploited Microsoft flaws, especially in the wake of the watershed release of Windows XP, Service Pack 2.
· Low-hanging fruit in security products: Nearly all enterprises have deployed certain classes of security products, notably antivirus and (to a lesser extent) host intrusion prevention. Third-party and press scrutiny has not yet forced security companies to acknowledge and fix potential problems with their code, as it has with operating system vendors. Therefore, flaws targeting security software stand a better chance of being successful.
· Economic self-interest of testing specialists: Although not illegal, some security assessment vendors (notably eEye) specialize in finding vulnerabilities in other vendors’ security products. These vendors then turn around and sell their own security analysis products, which conveniently include detection signatures for the other vendors’ vulnerabilities. As shown in Exhibit 2, these firms discovered one-quarter (20 of 77) of the security product vulnerabilities reported in 2004 and 2005, about the same number discovered by independent researchers. In contrast, fratricidal discoveries by competing security vendors accounted for a minority (5 of 77). One firm—ISS—accounted for four of these.

This entry is a repost of an excerpt by request from an analysis document. Since I have been asked to forward provide this multiple times it may be best to point people to the blog entry instead. Also, who can resist a Hunter Thompson reference?