Cyber UL – Reloaded

So about nine years ago Tan at the L0pht first wrote about the creation of a Cyber Underwriters Laboratory. Like the real UL the Cyber UL would be tasked with independently testing and evaluating software, specifically security related software without the influence of vendors. At the time no one paid much attention and the idea went pretty much nowhere. Since then, in the wake of broke non-secure USB drives and people still using XOR encryption, such luminaries such as Bruce Schneier and even myself have commented that such an organization is sorely needed.
Well Tan has now responded himself with a followup to his original paper. The new paper Cyber Underwriters Laboratories – Reloaded takes a look at the PCI compliance required by VISA as a possible starting ground or model for such an organization.
Lets hope that this time people realize that the importance of such software evaluations is critical not just to the future of online commerce but is critical to the future of simply being online.
 



Security Ethics? Are there any?

I have a list of websites that I read as part of my morning ritual just like everybody else. It helps fritter away the first few minutes of the day as I wait for my tea to cool to a drinkable temperature. Like most of the people who visit my little blog here you probably also read Slashdot. The stories are usually interesting enough to hold my interest while waiting for the aforementioned tea. (Red if you must know.) Today however, was posted a very rare treat, (for /. anyway) an extremely interesting and informative comment thread regarding Security Ethics. An important topic that isn’t discussed very often outside of vulnerability disclosure. Considering just how valuable Security people and IT workers in general are to a company (despite what your boss might think) it is important to maintain a high level of ethical behavior while at the same time remaining gainfully employed. Especially when all to often those two tasks seem diametrically opposed. This balancing act has forced myself to change employment more than once. The discussion thread on Slashdot provides some interesting horror stories, sage advice, and ammusing ancedotes about what really goes on during those SOX, SAS-70, 404 etc.. audits that the big companies (and governments) are so fond of.