Excerpt of a blog by Jeff Jones:

Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marks the one year anniversary for supported production use of the product.

This paper analyzes the vulnerability disclosures and security updates for the first year of Windows Vista and looks at it in the context of its predecessor, Windows XP, along with other modern workstation operating systems Red Hat, Ubuntu and Apple products.

http://blogs.technet.com/security/archive/2008/01/23/download-windows-vista-one-year-vulnerability-report.aspx

Urs

Virtualization will become dominant in enterprises, but the security risks are fuzzy at best. Meanwhile, the usual defense–firewalls, security appliances and such aren’t ready for virtualization.

http://blogs.zdnet.com/security/?p=821

Urs

IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.

http://www.cbsnews.com/stories/2008/01/21/tech/main3734904.shtml?source=RSSattr=SciTech_3734904

Urs

ISC2, the non-profit international body that educated and certifies information security professionals, today announced the publication of its "Hiring Guide to the Information Security Profession".

The free 30-page guide is designed to provide human resources (HR) with best practice tips on how to best find, recruit, hire and retain qualified information security staff.

http://www.itpro.co.uk/news/157143/hr-given-guide-to-info-security-skills.html

or the guide only directly from ISC2: https://www.isc2.org/cgi-bin/hiring_guide.cgi

Urs

From the Blog of Michael Howard:

I really got a chuckle out of this news item, especially this line:  “Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.”

So we finally have the security silver bullet!
Run this tool on your code, fix the bugs, and you’re secure (and maybe unbreakable?!)? I don’t think so.

There are three big problems with this line of thought:

• First, the security bugs found are only the security bugs found by the tool, and that list is always smaller than the list of all bugs.
• Second, it assumes that any new code or code changes are bug free. Which may or may not be true. In my experience, it is rarely true that new code is utterly bug free if you don’t take a holistic, process-oriented view to security.
• Third, and this is probably the most important, at best the tool understands a subset of today’s vulnerabilities; that could all change tomorrow when a new class of vulnerability or a subtle variant is found.

Full blog post:
http://blogs.msdn.com/michael_howard/archive/2008/01/10/open-source-projects-certified-as-secure-huh.aspx

Urs