Jeff Jones Security Blog

End of Year – Clean Up Your E-Mail

jrjones — Wed, 30 Dec 2009 22:10:13 GMT

Having taken some time off over Christmas, I've been taking care of some "Home Admin" tasks that have been on my todo list for a while. I decided to document these on another blog site, www.homeserverhub.com, where I post more hobby and personal stuff.

Essentially I have two top level tasks (1) Consolidate your E-Mail Accounts and (2) Clean up the Clutter, with several sub-tasks broken out.

Read the whole article at End of Year E-mail Clean Up.

Expanding SDL for Cloud and Agile Development

jrjones — Thu, 12 Nov 2009 20:20:40 GMT

With more and more business customers deciding between client, cloud, or both for their computing environments, security guidance must be dynamic and evolve along with the community. Because security and privacy are key concerns affecting adoption of cloud computing, the industry has an opportunity to assure customers that web applications running on cloud platforms can operate in a safe and trusted environment.

Microsoft has made a series of moves to take its secure development best practices beyond its borders to the broader developer community. This has included a body of guidance, an SDL Optimization Model, the creation of a network of certified service providers through the SDL Pro Network and a no-cost SDL Threat Modeling tool. All of these, plus subsequent releases of SDL programs, tools, guidance and technologies have better enabled software developers and industry partners to build security and privacy directly into software applications and provide their users with a more trusted computing experience.

Yesterday at the Tech·Ed Conference in Berlin, Germany, Microsoft announced two new SDL offerings

Security Considerations for Client and Cloud. Download a whitepaper from the SDL team that discusses security issues associated with “client and cloud” applications, and the steps Microsoft has taken to evolve SDL to address those security issues in Microsoft services.

SDL 4.1a, expanded to include Agile Development processes. Download the latest SDL process guidance that includes SDL for Agile Development, a streamlined approach that melds Agile methods and security. Comprehensive yet flexible, the SDL for Agile guidance includes all SDL requirements, but provides guidance on how to apply them even for very short release cycles.

Let me briefly expand on each of these.

Security Considerations for Client and Cloud

As the computing industry considers Cloud Computing, customer are concerned with how data will be protected. In a September 2009 online survey of IT Pros, about 51% cited security and data privacy concerns as the biggest impediment to adopting cloud services.

In Security Considerations for Client and Cloud, Microsoft takes a look at security from the point of view of development organizations that may be considering hosting their application with a 3rd-party infrastructure (ie. “cloud”) provider.

If you are to host your well-coded application on a 3rd-party infrastructure, at a high level, you should be asking questions (of potential cloud providers) concerning two general areas of security:

Operational Security and Compliance. If you have regulations governing your industry (e.g. healthcare), what does the provider do to make sure you are in compliance? What have they done to demonstrate their operational security?
Security Features and Service Level. Additionally, different providers may offer different cloud security features (e.g. supporting certain types of authentication) and different security service levels in their SLA. Ask for details to ensure that you know exactly what they will provide you (from a security perspective) as your partner in delivering services to your customers.

Of course, fundamentally, application software, whether traditional or for the cloud, still needs a structured security development process such as SDL. So, make sure you are using a structured security development process like SDL for your application.

What? You say you have a 2 week release process and use an Agile development process? No problem, read on…

SDL for Agile Development

If you are using an Agile development process, you are not alone. Agile development methods are being adopted more and more frequently in enterprises around the world. According to a recent independent analyst report, 85 percent of technology industry professionals have adopted Agile development methods at some level of maturity.

Note: if you are not familiar with Agile development and would like to know more, you may want to read a bit more on http://www.agilemanifesto.org. Wikipedia defines it as:

Agile software development refers to a group of software development methodologies based on iterative development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams. The term was coined in the year 2001 when the Agile Manifesto was formulated.

(also)

Notable early Agile methods include Scrum (1995), Crystal Clear, Extreme Programming (1996), Adaptive Software Development, Feature Driven Development, and Dynamic Systems Development Method (DSDM) (1995). These are now typically referred to as Agile Methodologies, after the Agile Manifesto published in 2001.

If you take a look at Bryan Sullivan’s SDL Blog post concerning SDL for Agile, he gives a great description of how the team approached the task of taking the comprehensive SDL requirements and processes and organizing the guidance into an Agile-friendly structure that can be flexibly applied to long or short agile development projects. I’ll give a quick summary of his post.

If you look at the Security Development Lifecycle and how it is described by phases, you can see that it was originally developed to integrate with the spiral-based product development process used by Microsoft to develop Windows and other business products. Though there are many differences between spiral and Agile methodologies, two key differences stand out to me:

Agile development methodologies don’t have defined phases, and
Agile releases tend to be much shorter, in some cases only a week or two

To address these differences, SDL for Agile breaks the SDL into three categories of requirements: every-sprint requirements, the requirements so important that they must be completed every iteration; one-time requirements, the requirements that only have to be completed once per project no matter how long it runs; and bucket requirements, the requirements that still need to be completed regularly but are not so important that they need to be completed every sprint.

SDL for Agile also provides guidance for adapting many of the core SDL activities to Agile. Threat modeling is a perfect example: a team could easily spend an entire week-long sprint performing threat modeling, but this may not be the best use of their time. SDL-Agile describes how a team can spend an appropriate amount of time modeling new features as well as how to build up a baseline of threat models for existing functionality.

To get the full SDL for Agile guidance, download SDL 4.1a, expanded to include Agile Development processes, and read through the new sections on Agile.

Final Thoughts

As the computing industry evolves, Microsoft continues to invest in security and privacy fundamentals and ensures its software development processes, best practices and technologies extend from Client to Cloud environments. The release of SDL for Agile and the cloud security white paper highlights Microsoft’s continued efforts to meet the changing needs of the development community and ultimately will help create a more trusted online computing experience.

Best regards, Jeff

SDL Team Adds Test Tools to the SDL Tools Arsenel

jrjones — Thu, 17 Sep 2009 00:26:58 GMT

Those of you that have been reading my blog a while know that part of my interest in security metrics is in trying to find ways to measure if Microsoft efforts to improve fundamental in security products is bearing fruit. Central to the Microsoft efforts is the Security Development Lifecycle process.

One of the cool efforts that has been happening over the past couple of years is that the SDL team (read their blog!) has been taking tools and technology that was developed internally to support the Microsoft SDL process and releasing it, cost free, to the community so that the tools could be leveraged by all types of developers. (I say “all types” and that’s true, though in some cases the tools either do more or were designed to work primarily with Visual Studio projects. Tools like MiniFuzz, though, can be used to fuzz applications regardless of the development tools used.)

Today the SDL team are making available BinScope Binary Analyzer and MiniFuzz File Fuzzer as no cost downloads.

We put together a couple of demo videos also. You can find them on edge.technet.com on this links (BinScope video, MiniFuzz video) or you can watched the embedded videos directly in this post below.

BinScope Binary Analyzer

The BinScope Binary Analyzer is an SDL-required security tool that has been used by Microsoft teams since the early days of the SDL. It analyzes your binaries for a wide variety of security protections with a very straightforward and easy-to-use interface. At Microsoft, developers and testers are required to use this tool in the Verification Phase of the SDL to ensure that they have built their code using the compiler/linker protections required by the Microsoft SDL.

The analyzer performs a diverse set of security checks. These checks include:

/GS flag is being set to detect stack-based buffer overflows
/SafeSEH flag is being set to enable and ensure safe exception handling
/NXCOMPAT flag is being set to enforce data execution prevention (NX)
/DYNAMICBASE flag is being set to enable Address Space Layout Randomization (ASLR)
.NET Strong-Named Assemblies are being used to ensure unique key pairs and strong integrity checks are in place
Known good ATL headers are being used
Up-to-date compiler and linker versions are being used (minimum Visual Studio 2005 SP2)
Reports on dangerous constructs that are prohibited/discouraged by the SDL (e.g. read/write shared sections, global function pointers).

Watch this video to get an overview and see a demonstration of BinScope in action:

MiniFuzz File Fuzzer

The MiniFuzz File Fuzzer is a very simple fuzzer designed to ease adoption of fuzz testing by non-security people who are unfamiliar with file fuzzing tools or have never used them in their software development processes. A less capable and non-graphical version of this tool was originally published on the CD that came with the book The Security Development Lifecycle by Steve Lipner and Michael Howard. Since that tool was effective at finding quality bugs, we wanted to offer it more widely along with our other SDL tools, improve the user experience, and provide integration with Visual Studio and Team foundation Server.

Because we have found fuzzing to be effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of the MiniFuzz File Fuzzer, we have made a simple file fuzzer available to assist developer efforts to find and address more security bugs in code before it ships to customers. Simply provide the tool with a set of correctly formed files to serve as templates, and it will generate corrupted versions for testing. The effectiveness of fuzz testing can be increased by providing more variation in the template files.

Watch this video to get an overview and see a demonstration of BinScope in action:

Resources and Other Information

These tools are not the first ones that the SDL team has made available. Check out the SDL Tools Repository to download BinScope Binary Analyzer and MiniFuzz File Fuzzer, as well as other tools like FxCop, the SDL Process Template for Visual Studio Team System, the SDL Threat Modeling tool, CAT.NET and the Anti-XSS library.

Best regards ~ Jeff

Project Quant Patch Management Survey Summary and Results – Available for Download

jrjones — Mon, 27 Jul 2009 23:12:31 GMT

I am extremely excited to announce that Rich Mogull and I believe we are ready to publish two key deliverables for Project Quant today and make them available for download.

I describe the other one, “Measuring and Optimizing Patch Management: an Open Model”, in another post.

Below is an excerpt from the survery summary and analysis and you can download the full report at http://securosis.com/research/publication/project-quant-survey-results-and-analysis/.

Key Findings

As part of the Project Quant community effort to develop a well-defined patch management cost model, the project team fielded a survey of patch management questions covering aspects of the patch management process. While we believe this survey, due to self-selective participation, is biased towards companies with active patch management efforts, the results were informative in that context. Key findings from the survey include:

Most companies were driven by compliance regulation, usually more than one regulation applied
Process maturity was generally high for operating systems, but low for other asset types such as applications and drivers (see chart)
Companies tend to utilize multiple vendor and 3^rd-party tools in their patch management process
40% of companies depend on user complaints as one factor for patch validation

Combining these Results with Security Trends

I am also a contributor for the Microsoft Security Intelligence Report, where I look at vulnerability trends across the industry. One of the trends we’ve observed over the past several periods is that vulnerability research, as well as malicious attack trends, seem to be increasingly focused on non-OS software – applications, drivers and so on. Combining this trend with the Project Quant survey findings, we have:

increasing risk in non-OS software such as applications
lower patch management maturity for non-OS software

These two finding together identify an clear call to action for administrators to review their patch management processes for ways to increase their ability to manage software assets beyond workstations and general servers.

Download the full report at http://securosis.com/research/publication/project-quant-survey-results-and-analysis/.

Regards ~ Jeff

Project Quant Open Patch Management Metric Model – Ready for Download

jrjones — Mon, 27 Jul 2009 23:11:40 GMT

I am extremely excited to announce that Rich Mogull and I believe we are ready to publish two key deliverables for Project Quant today and make them available for download.

The first is what I’ve referred to in the past as “the model,” which is the culmination of the first phase of Project Quant. The second is our summary and analysis of the patch management survey results, which I discuss in this other post.

Below is an excerpt from the model report executive summary and you can download the full report at http://securosis.com/research/publication/project-quant-metrics-model-report/.

Developing an Open Patch Management Metrics Model

This report includes the findings of the Project Quant patch management research project. Project Quant is dedicated to the development of a refined, unbiased patch management metrics model. The goal is to provide organizations with a tool to better understand their patching costs, and to guide improvements through an operational efficiency model capable of capturing accurate and precise performance metrics. It was developed through independent research, community involvement, and an open industry survey.

Key Findings

• There is no public platform-independent, industry-standard patch management process framework. As a result, Project Quant developed a superset framework to encompass most patching activities within any organization, regardless of technology asset under review. It includes ten phases with forty steps.

• Based on survey responses, organizations are generally mature in managing desktop operating system and server operating system patches, but process maturity quickly falls off for other technologies and platforms.

• Staff time dedicated to patch management activities represents the majority of patch management costs, and thus the model was designed to focus heavily on granular patching activities.

• Patching across multiple platforms and business activities is a very complex process, and although the Project Quant model is extremely detailed, most organizations should focus on the key metrics identified through the model.

Summary and Next Steps

• This release includes a detailed patch management process framework and metrics model to enable organizations to quantify and optimize their patch management processes.

• This is Version 1.0 of the model; future work will continue refinement, generate sample use cases, and assess it’s functionality in various user environments.

• The next step is to engage end-user organizations in focused interviews to determine how their processes and maturity align with the model and survey results.

• The model can then be adapted for use in industry benchmarking.

Microsoft Security Essentials Beta Full in One Day

jrjones — Thu, 25 Jun 2009 03:32:27 GMT

After launching yesterday, the Beta for Microsoft Security Essentials has filled up – see the screenshot below. This first Beta was limited to 75,000 participants within some targeted geographies and it is encouraging to see this target achieved in such a short time.

Microsoft Free Anti-Malware (Morro/Microsoft Security Essentials) Released as Beta

jrjones — Wed, 24 Jun 2009 00:06:12 GMT

Though I have not been directly involved with Morro (or any other anti-malware products), I am excited to see Morro (Microsoft Security Essentials, http://www.microsoft.com/security_essentials/) reach the next stage of development by releasing as a Beta package.

I personally think that Microsoft Security Essentials is a significant step forward in helping make the Internet a safer and more trusted experience for the average user. That may seem strange, given how long the industry has been around and given that there are already several free antivirus solutions available, for those that have even a slight technical interest in finding them.

I’ve shared my experience and opinion in the past about how the business anti-malware industry drives vendors to optimize towards businesses and away from consumers, so I won’t dig into that, but I do think there are some key points worth reviewing.

1. Barriers exist for “home user” protection. Unfortunately, many barriers to quality PC protection remain for consumers, both in mature and emerging markets where many threats originate. If you are the “free IT support” for your family and friends, then you already know what I’m talking about.

My Mom’s PC came bundled with trial security bundle where different components were fully enabled for some months, while other protections were partially enabled and yet other components required an upgrade to be enabled. Bottom line? Customers are confused by trials and annual subscription renewals, in many cases believing their PCs are covered when in fact their subscriptions have expired and they are not protected.

And also, let’s be frank, certain members of my family are just never going to pull the trigger on some of the online subscriptions that are available, even if they could figure out which ones are legitimate and which ones are actually disguised malware or unwanted software. And upgrades or updates? Please.

2. Threats continue to grow and evolve. E-mail threats continue to grow and evolved and since many of these are now blended threats involving web sites and some aspects of social engineering, they are even becoming more platform agnostic. By some measures, over 97% of e-mail messages sent over the Internet fall into the “unwanted” and unsolicited category.

Of course, since my Mom and yours are more aware of security issues than they were 10 years ago, malware developers have begun heavily leveraging “fake security software” and social techniques to target consumers and get them to voluntarily deploy their unwanted software. By providing an easy to find, easy to deploy solution from a known brand like Microsoft, Microsoft Security Essentials can help provide some basic, well, essentials to help fight this issue.

3. Too Many Users Need More Protection. Ultimately, the evolution of threats and the barriers for home users combine to create a situation where many users need more protection. This is not just a threat to those users, but represents a threat to the broader ecosystem when these systems are at risk of catching and spreading malware.

Key Principles

I’ve talked with the product teams about their driving principles and I think they are spot on for what home users need:

Essential Features that are necessary to enable a safer and more trusted Internet experience.

Real-time and scan detection and cleaning
Live Kernel Behavior monitoring (leveraging technology acquired from Komoku)
Improved anti-stealth functionality – (‘rootkit revealer’ style scanning)
Rootkit removal
Standalone boot scanning (boot to a preinstall environment to scan while completely inactive)
Frequent Dynamic Signature updates
Dynamic update capability (no wait for next “full signature” release)
Heuristics with pre-execution program emulation
Ability to quickly address false positives with the dynamic update capability

Easy to Get, Easy to Use

Will be easy to find from a trusted location on microsoft.com
No cost, not trials or expirations
Smart default configurations including a dark hours update schedule
Daily updates

Quiet Protection

Lightweight design, tuned for performance
CPU throtting
Fewer interruptions – no “information only” UI, only when action is needed

Deep and Broad Research Team

Led by Vinny Gullotto (long time personal colleague back to our days at McAfee)
One of the best, most experienced anti-malware research teams in the industry, built up by Vinny over the past few years. Truly, though Microsoft has been in this space a short while, the team members that Vinny has assembled have been helping make the Internet safer for pretty much forever.

Final Comments

Let me emphasize that this is just a Beta, so hopefully there will be warts. Yes, I say hopefully, because the purpose of a Beta is to get a lot of folks engaged to find those warts and report them so that they can be fixed before the product is released. Having said that, my next step is to install Morro on my home computers tonight and see if I can talk my Mom through installing it on her home machine 2000 miles away. Those two experiences should give me some great feedback that I can feed to the Microsoft Security Essentials team to help improve the Beta for final release. I’ll likely share those experiences with you here on the blog.

I also ask you to try it out and share your thoughts and feedback with me. I have a fair amount of product management experience and I’m happy to distill your various feedback down into some core requirements and then deliver it directly to the product team.

This is that latest in a series of steps over several years that I think is helping make tangible progress for making the Internet safer and more trusted for many users:

Lots of security improvements in Windows XP SP2. Remember the days before pop-up protection was introduced into IE6 in XP SP2? Remember when you kept the personal firewall turned off?
Windows Defender. Breaking ground for Essentials, Defender helped raise the bar even it it’s Beta stage.
Defense-in-depth security features in Windows Vista and the upcoming Windows7. Say what you want about Windows, security researchers and data are showing that it raised the security bar.

Best regards ~ Jeff

Open Patch Management Survey

jrjones — Tue, 09 Jun 2009 00:47:26 GMT

If you are involved in Patch Management, I’d like to ask for your help and participating in Project Quant.

Since launching in April, we’ve made some good progress in developing a high level patch cycle and have had some great participation on the forums in exploring the details of the functional elements.

Now we are at a stage where we want to gather information in the context of the Patch Cycle that the community is starting to build consensus around and with that in mind, we’ve launched an open survey at http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d which we’d love to have your partcipation with. [NOTE: The survey was developed openly too and you can see the forum discussions if you are interested.]

The goal is to gain an understanding of what people are really doing with regards to patch management, to better align the metrics model with real practices. We're doing something different with this survey. All the results will be made public. We don't mean the summary results, but the raw data (minus any private or identifiable information that could reveal the source person or organization). Once we hit 100 responses we will release the data in spreadsheet formats. Then, either every week or for every 100 additional responses, we will release updated data. We don't plan on closing this for quite some time, but as with most surveys we expect an initial rush of responses and want to get the data out there quickly. As with all our material, the results will be licensed under Creative Commons.

We will, of course, provide our own analysis, but we think it's important for everyone to be able to evaluate the results for themselves. All questions are optional, but the more you complete the more accurate the results will be. In two spots we ask if you are open for a direct interview, which we will start scheduling right away. Please spread the word far and wide, since the more responses we collect, the more useful the results.

If you fill out the survey as a result of reading this blog post, please use JJBLOG as the registration code. This is optional and won't affect the results, but we think it might be interesting to track how people found the survey, and which social media channels are more effective.

As with the rest of this project, the results will be up at http://securosis.com/projectquant.

Best regards and thanks, Jeff

Project Quant : Patch Management Cycle

jrjones — Fri, 01 May 2009 00:32:40 GMT

Although we posted some of our initial thoughts, and have been getting some great feedback from everyone, Rich and I realized that we need a standard patch management cycle so that we can break apart the different parts of the project, so that they can be considered separately and in detail.

Rich has researched several other patch management cycles, and posted a graphic that represents a tentative granular cycle that enables us to move forward. Clicking on the image will take you to the Project Quant project page and Rich’s original post, which also provides a brief description for each component shown on the graphic.

Also, I want to make sure that you know the Project Quant Forum pages are up and active. Thanks to DS, Dutch, Daniel, Allen and others that have shared their expertise on the “initial thoughts” thread.

Mythbusters jamie and Adam – Final Keynote RSA 2009

jrjones — Sun, 26 Apr 2009 11:09:18 GMT

RSA Conference 2009 Webcasts – Day 4 Keynotes (Friday)

There is only a relatively small group of people that stay all the way to the end of the RSA Conference to see the final Friday keynotes, but they were worth the wait. I can honestly say the two afternoon keynote sessions were my favorite ones of the whole week. See my previous post: Cheswick and Thompson ‘Securin Ain’t Easy’ Rap Video @ RSA 2009 about the first keynote.

And the final keynote? … Jamie Hyneman and Adam Savage of the Mythbusters television show.

These guys are great. If you’ve never seen an episode on the Discovery Channel, then check out a few of the clips on the Mythbuster Youtube landing page.

To give you a flavor of the interview, here is an actual question asked of Adam and Jamie by host Bill Duane: What is the coolest thing that you’ve ever blown up? The question comes near the end of the video, fyi.

[click photo to open video]

Jamie and Adam also brought along a video collage they had put together with some “goof reel stuff” and what they referred to as “explosion porn.” It was fun to watch, but unfortunately, that video clip was not allowed to be in the webcast. Still I think you’ll enjoy the segment, which is about 35 minutes long.

Regards ~ Jeff

Cheswick and Thompson ‘Securin Ain’t Easy’ Rap Video @ RSA 2009

jrjones — Sun, 26 Apr 2009 11:02:00 GMT

RSA Conference 2009 Webcasts – Day 4 Keynotes (Friday)

Why?

How about this? Dr. Hugh Thompson (of People Security and the Hugh Thompson Show) and firewall legend Bill Cheswick do a rap video… sing it with me now “…There were patches, breaches, lots of data leakage…”

[click photo to open video]

After the introductory rap video, Hugh had some great guests that talked a real life identity theft incident that happened last year where a hacked Facebook account was used to get Facebook friends to urgently send money to help their friend who was “stuck in London with no money to get home.” Watch the video, I’m sure you’ll enjoy it.

Regards ~ Jeff

RSA Conference 2009 Webcasts – Day 3 Keynotes (Thursday)

jrjones — Thu, 23 Apr 2009 18:00:00 GMT

The RSA Conference team has done an excellent job of making videos available this year for those that could not attend the conference live. Plus, like watching your American Idol on your DVR, you can easily skip past the parts you find boring and just focus on the exciting stuff.

(Again, if you haven’t watched it, I encourage you to watch the Opening ceremony from day 1.)

The webcast keynotes for Thursday:

Brian J. Truskowski, IBM Global Technology Services
Philippe Courtot, Qualys
Dave Hansen, CA

RSA Conference 2009 Webcasts – Day 2 Keynotes (Wednesday)

jrjones — Wed, 22 Apr 2009 18:00:00 GMT

(Again, if you haven’t watched it, I encourage you to watch the Opening ceremony from day 1.)

The keynote webcasts for Wednesday:

Melissa E. Hathaway, National & Homeland Security Council
Panel Discussion, Information Governance
John Chambers, Cisco Systems
Dave DeWalt, McAfee
Brian Smith, Ph.D., TippingPoint
James Bamford, Author of “The Shadow Factory”

RSA Conference 2009 Webcasts – Day 1 Keynotes (Tuesday)

jrjones — Tue, 21 Apr 2009 18:00:00 GMT

RSA Conference 2009 kicked off with a video honoring Edgar Allen Poe and tying Poe to cryptography, which led into an awesome dual violin performance that I thoroughly enjoyed (do not skip the opening ceremony video!)

The keynote webcasts for Tuesday cover:

Opening ceremony (Poe video & dual violin performance)
Art Coviello, RSA/EMC
Enrique T. Salem, Symantec “An Environment of Increasing Complexity and Risk”
Scott Charney, Microsoft “Moving Towards End to End Trust: A Collaborative Effort”
The Crypotographer’s Panel
- Whitfield Diffie
- Martin Hellman
- Ron Rivest
- Adi Shamir
- Bruce Schneier
Lieutenant General Keith B. Alexander, NSA/CSS

(If you care ;-) I particularly recommend and point you to the following:

The Opening Ceremony video – I just liked it.
Scott Charney’s webcast if you have an interest in End to End Trust, as he does a good job of laying out why it is needed and why it must be solved as a collaborative effort by the entire industry.
Martin Hellman on the Cryptographer’s Panel, which follows up on a them I loved last year (read RSA Crypto Panel: Martin Hellman on 0.01% Events) concerning Low Probability High Impact events.

Click on the Webcast image above, or here to go to the webcast page.

Project Quant

jrjones — Fri, 17 Apr 2009 00:40:03 GMT

I am pleased today to announce a project that I have been working to get going for a little while – Project Quant – an open model/method development project being done in conjunction with Rich Mogull of Securosis with the goal of developing a cost model for patch management response that accurately reflects the financial and resource costs associated with the process of evaluating and deploying software updates (patch management).

For me, this is a convergence of two passions that I have in my job and the work I do:

Helping establish objective metrics for security, and
Providing tools that are useful to customers

I’ve spoken with a lot of Microsoft customers and found that within the IT departments, they have a strong desire for metrics that help them drive their day-to-day business. Many of my past analyses and reports were developed with this in mind, but they tend towards the technical and less towards the business aspects of security. If we know two software companies both fixed 50 vulnerabilities last year, while that might tell us something about the software, that doesn’t tell us about how it impacted different customers in terms of work required or resources.

As a small (incomplete) example, here are some things that would affect the IT departments:

How many updates were the fixes bundled into and when were they released?
Do the vulnerabilities affect software I have in production or not?
What were the severity ratings and what is my policy with respect to severity ratings?
How many people work in patch management for my company and what are their roles?
What sort of tools do I have for deployment?

I think what is needed is a model that captures these and many other aspects of patch management policies and operational realities that is also flexible enough to model small businesses as well as very large corporations. Project Quant is an effort to get the ball rolling in that effort.

Regards ~ Jeff

Want to participate in Project Quant? Have experience with IT patch management? Opinions? Then we want you to participate! Go check out the Project Quant page on Securosis.com and begin sharing your thoughts and ideas. Discussion forums will be up within a day or two as well.

Initial Project Quant news coverage:

http://blogs.zdnet.com/security/?p=3151

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=216500918

http://threatpost.com/blogs/microsoft-unveil-patch-management-metrics-project

http://www.eweek.com/c/a/Security/Microsoft-Analysts-Team-Up-to-Improve-Patch-Management-372087/

(and a German article) Microsoft: Schnelleres Patchen mit Project Quant

Quick Links

Introducing Project Quant (Securosis.com)
Project Quant- Goals (Securosis.com)