David Rice is an internationally recognised information security professional and author of the critically acclaimed book, “Geekonomics: The Real Cost of Insecure Software.”  For a decade he has advised, counseled, and defended global IT networks for government and private industry. David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.

I had a chance to talk with David recently and I hope you enjoy the read.


BorB: Thank you for taking the time for a chat David. I thoroughly enjoyed the book and would recommend it to everyone. What’s the feedback been like from the industry and non-industry (consumers) in general?

DR: Thank you for the opportunity to join the discussion on your blog. Feedback from the information security industry has been overwhelmingly positive. Defending against an unrelenting stream of software vulnerabilities is simply unsustainable. It also happens to be ridiculously expensive. I think people get that point. Software manufacturers and security vendors have led us into a cul-de-sac that we have been wandering around in for a few years, and the frustration is palpable. I think approaching insecure software from an economic perspective has started opening doors that lead out of the cul-de-sac and there is a feeling of hope in that.

The response from outside the information security industry, particularly consumers, has been a mixture of enlightenment, shock, and dismay. For example, a U.S. government representative stated to me, “I can’t put [the book] down. It’s incredible because I’ve never really thought about things this way before.” On a recent radio interview the host asked (rather desperately I might add), “Why isn’t this stuff [cyber attacks] being reported? What do we do?” By the tone of his voice, I could tell he was truly disturbed as well as surprised. It was as if someone told him cigarettes cause lung cancer, manufacturing creates pollution, or fatty foods cause heart disease. Yes, indeed, software can have significant private and social costs also.

On the whole, I think these reactions are healthy and normal. Some people are getting concerned, and some angry. These reactions, and those like them, are understandable and I take such reactions as a good sign. It means that listeners are re-adjusting their viewpoints based on the information presented to them. In the end, I don’t think if we inside the security profession really comprehend just how far behind the rest of the populace is in understanding the issues of cyber security.


As you know, I am not a fan of most IT security surveys but Jeremiah Grossman’s Web Application Security Professionals Survey is an exception. The full survey and comments are well worth downloading. (And if you use HackerSafe, well what did you expect industry specialists were going to say?!) :-)

This topic has been hot again in recent times and we’ve been asked a few times on what our position to this is. In the past, and with our previous relationships, we’ve been in the “responsible disclosure” camp. Advisories went out after the vendors had announced patches to the vulnerabilities announced, (and in some cases exploits developed in parallel to confirm the proof of concept). It seems the camps are divided in two as described here but is the third option of no-disclosure outside of vendor/client a major consideration that hasn’t had much discussion (relatively)? What percentage of vulns in systems and applications are never disclosed? Why isn’t this seen as potentially a major part of how vulns are dealt with? How skewed are figures in yearly stats and surveys due to this area, (and I don’t mean sales of vulns to organisations who buy them – I mean those vulns discovered in vendor systems and applications and those detected in personal engagements for clients for home grown systems and applications)?


An interesting story here on another hosting provider looking at the potentially lucrative PCI DSS compliance market. From the Australian IT; “IT security on the cheap“. What concerns me here are promises being made by new entrants into the PCI market. Organisations looking at companies like this, or anyone promoting quick and easy solutions to compliance need to seriously investigate what it is they are getting. Cheap and secure hosting alone does not make for simple PCI DSS compliance, and every customer will have more internal process, procedure and application issues around compliance that may far outweigh in terms of number of requirements satisfied, those statisfied by outsourcing some responsibility out to a third-party.

Compliance with PCI DSS is not cheap and it’s not simple. Anyone who promotes it as cheap and simple should be assessed very carefully.

In recent times, Securus Global has been working with manageNET to develop a truly secure hosting environment for clients and their PCI DSS compliance. Both organisations understand how complex each individual organisation’s requirements can be, so while core secure hosting may not be relatively complex, each individual company’s environments around credit card processing, storage and transmission differ, so all solutions are developed on a client by client basis. If a hosting provider is not doing this, they shouldn’t be in this game. End of discloure.

BTW, the comment in the article; “Meanwhile, merchants that store credit card information would have to complete up to 223 questions every quarter to adhere to PCI DSS guidelines” is wrong obviously. Also, gees I’d be concerned dealing with someone who; “After taking a beating on the stock exchange, BlueFreeway hopes to revive its fortunes with the solution, squarely aimed at small and medium-sized enterprises (SMEs)” :-)

From idea to concept, to proof of concept, almost anything to break the Net and systems on it is plausible. It’s been done over and over but because it’s been done as one offs so to speak, and dealt with as one offs, everything doesn’t seem as doomsdayish.

The DNS stuff has some wondering if the Net could potentially cope with this vuln. It will because it will be addressed as a one-off. One of a million such stories:

Is this latest DNS one a really bad one? I don’t know enough about it to comment.

All I know is that based upon the history of the Internet and what could happen, nothing can be discounted and anyone who thinks that the whole Net is eternally safe from a real big hit is probably optimistic.

End of the day, it’s the nuts we have to worry more about than the Net criminal elements. Everything going to crap is bad for business – for everyone. Just my 2c.

Posted in: Too cool

I am proud to announce that Securus Global (ie; in case you did not know, our company), has 5 QSAs now!!!

Now if you are working in a large multi-national, that won’t seem like much. But here in the Aisa Pacific region, that places us at close to the top in terms of number of certified “experts” in PCI DSS! We must be good now! We have more than most of our competition!!!! We’re going to win more business now!

Hmmm……”We must be good now!”…..we always were, even with 1 QSA. But, the last statement is so true. We are going to win more business now in the PCI DSS area….because of numbers. We know that because we lost jobs last year for no other reason than we had less QSAs than a couple of our competitors.

Sadly, certification numbers to some mean the world. While it doesn’t sound like much, 6 jobs we lost for PCI came down to the CIO or CEO going against the security dudes recommendation that they go with SG for no other reason than company X has more QSAs! WTF? True…….

Yeah, we lost a few other bids on price but that’s life….it happens when some people don’t know you but I now know, I have, based upon stats, the opportunity to win some of those jobs we would have lost.

Critical thinking has not made it’s way to many CIOs…….never has since the “CIO” title was invented and CIOs are still the main reason why most companies are so badly managing security. We rave on and on and on about security dudes needing to be “certified”…..that’s not the problem…..CIOs need to be certified! If you work in IT and are at that level and know jack about IT security, you are the stuff of Scott Adam’s inspiration!

I notice little gets reported about Net Neutrality but we’re deluged with iPhone news. Wireless (in)security is no longer a hot topic but Symantec announcing it will speed up it’s products is big news. WAFs are a hot topic but we’ve long forgotten that good basic practices help security more than any tool will. Another annual BS security survey on how bad things are will be reported everywhere, but few will drill down to the question of why the business worlds overall state of security is poor. Everyone is in “the cloud” but no one reports almost 20 years of those company’s previous promises/failures.

Everything is wonderful! :-) Just don’t mention PCI.

Another friend in the industry is leaving his company at the end of this week. Sadly, it’s for the same reasons everyone else I know in recent years have left their employers (to test the waters elsewhere) – “this place just doesn’t really care about security!”, “It’s all lip service!”, “they just don’t understand nor want to listen!”, “the security team has no support” etc etc etc…..same old stuff.

I don’t blame any of them. I’ve been in that position before myself a few times. You just get to a stage where you think it’s just not worth it anymore and surely there’s something better for me. But the grass is not always greener elsewhere as we know. Chances are, particularly in Australia, the next employer is not going to be much better if you’re looking for a place that takes Information Security seriously. But there are exceptions…. So how do you find out whether the potential new company is going to be any better based upon a 1 hour interview?


Posted in: Uncategorized

Kiwicon 2k8 reminder…. not that anyone would have forgotten; 27-28 September, 2008. Details:

Posted in: Research, Too cool

Older Posts »