www.cigital.com/silverbullet

Slightly less ridiculously, I agree with you about spreading knowledge, so the title of my podcast series may have a tiny little core of truth to it.

gem

“Is the Jones family really the goal?” I asked myself.

The reason that security people do what their competitors are doing is because they cannot explain what is right and proper. In such an environment, they have to CYA by doing _best practices_ which naturally emerge to be a standard set (it doesn’t matter what the best practices are, only that they exist). Best practices secures the jobs of the security people, because there is nothing, apparently, better that they can do. Problem solved.

(I call this the market in silver bullets.)

The underlying problem then becomes one of knowing what security is and how to improve that knowledge. For this reason, secondary disclosure of breaches is very interesting; if we can disclose our breaches to our competitors, then our knowledge can improve.

Unfortunately, breach disclosure suffers from a prisoner’s dilemma, as we only benefit if we all exchange the information, and we don’t lose if we cheat.

I am happy to see that my friends at Cigital have started a blog called Justice League focsuing on software security and quality. Cigital is one security company that has always recognized that pinning your security hopes on a magic device or widget do…