STE WILLIAMS

Free Regcast : Microsoft Cloud OS

With its latest beta release, the Mozilla Foundation has taken a step further toward making click-to-run the default behavior for all plugins in Firefox.

“Outdated plugins are a big source of security vulnerabilities so this feature will ensure users are safe and Firefox runs smoothly,” the Firefox team said in a blog post on Thursday.

Under the new system, instead of automatically running plugins when a page opens, Firefox will replace that content with boxes warning the user that the required plugins may be vulnerable to exploits. The content will only be displayed if the user explicitly activates the plugins – each a potential infection vector for malware.

The one exception to this new policy is Adobe’s Flash Player plugin, which Mozilla has determined is used by too many websites to fall under the manual activation requirement. But Firefox users will only be able to dodge the click-to-run warning if the version of the Flash plugin they have installed is the latest one.

“Users with older versions of Flash that are known to be insecure will see the click-to-activate user interface and will be prompted to upgrade to the latest version,” Mozilla’s Benjamin Smedberg wrote in September. “Our security and plugin teams work closely with Adobe to make sure that Firefox users are protected from instability or security issues in the Flash plugin.”

This isn’t the first time Mozilla has implemented such security measures. With the release of Firefox 24 in September, Mozilla marked all versions of the Oracle Java plugin as “unsafe,” including the latest build – a decision that was eventually rescinded amid widespread uproar from the Java-using community.

Mozilla isn’t alone in being concerned about the potential security threats posed by plugins, either. Google’s approach to locking down Flash in its Chrome browser is to bundle the plugin inside the browser itself and update it automatically, so that users can’t run an old version of the plugin even if they want to.

Mozilla has been testing its click-to-play plugin system in its experimental Firefox builds since January. With its release into the beta channel on Friday, the technology moves a major step closer to becoming part of the mainstream Firefox product.

The latest mainstream version of the browser, Firefox 25, was released on Tuesday with a smattering of new features, most notably support for the Web Audio API and blocking of insecure content on encrypted web pages.

If all goes according to plan, Firefox 26 is expected to move from beta into public release status with click-to-run plugins enabled by default during the week of December 10. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/firefox_plugin_blocking_enters_beta/

Email delivery: Hate phishing emails? You’ll love DMARC

Australia’s new and conservative prime minister Tony Abbott has reportedly confirmed the nation’s decision to ban Huawei from providing any kit to the country’s national broadband network.

Australia famously banned Huawei not long after Barack Obama and his entourage visited the nation in 2010. The ban is thought to have come after US intelligence authorities explained to Australia why the home of the free isn’t keen on Huawei. Once Australia learned why, it slammed the door on Huawei’d bid to build the NBN.

The NBN won’t be a part of Australia’s secure communications networks but will, as the nation’s public data backbone, carry all manner of traffic. Excluding Huawei from providing so much as a single four-port switch was therefore a powerful statement of Australia’s discomfort with the Chinese vendor.

Huawei’s response has been a charm offensive. It has sponsored a local football team, fired up various charitable initiatives and brought high-ranking execs down under to deliver “headland” speeches. The company also appointed former Liberal party ministers to its board, a decision seen as giving it more clout with the Australia’s Liberal/National government.

Huawei’s charm offensive included the pic above, an April 1 jape depicting a footballer at sponsored club the Canberra Raiders having the Huawei logo applied as a tattoo. The footballer in question subsequently became embroiled in a scandal regarding performance-enhancing drugs

If Murdoch organ The Australian is to be believed, and on matters concerning the Liberal party it often has an inside line, the new government has read national security assessments about Huawei and decided to keep the previous government’s Huawei ban in place. The paper’s paywalled report says Abbott has decided to keep the ban and has written to opposition leader Bill Shorten to confirm the ban stands. Putting it on letterhead makes it official.

Given the new government is overturning all sorts of policies the previous government ran with, this lack of reversal is significant.

Huawaei is yet to issue its usual “we’re awfully nice, wouldn’t hurt a fly and therefore awfully disappointed” statement. If it does more than that, we’ll let you know. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/australian_confirms_huawei_ban/

Free Regcast : Microsoft Cloud OS

The Dark Mail Alliance has revealed more details of plans to build a secure, encrypted email system that’s surveillance-proof, provided the user’s machine isn’t already pwned.

Jon Callas, CTO of Silent Circle and cofounder of the Dark Mail Alliance, told The Register that the idea for the service came when he met up with Ladar Levison, founder of the now-defunct encrypted email service Lavabit, at a conference last month – and they started discussing the current state of government eavesdropping and what to do about it.

“It’s got to be better to start from a position of near total security and then work down as needed, rather than starting with no security and then add on code to try and make it more secure,” Callas said.

Both have the skills needed to set up such a system. Callas, and fellow Silent Circle partner Phil Zimmermann, were members of PGP, the firm that brought encryption to the masses in the early 1990s, and recently set up secure communications biz Silent Circle.

For nearly a decade Levison ran Lavabit (formerly Nerdshack) to make sure that email users could encrypt their messages and store them safely, before shutting the service down rather than compromise his users’ security.

The full details on the Dark Mail Alliance system will be published in a white paper shortly, but in a nutshell the system uses SMTP and Extensible Messaging and Presence Protocol (XMPP) systems. The user generates a private key on their device and has public keys on an open server; sent emails are encrypted and stored in the cloud for pickup as needed.

‘It’s as secure as it can be, we think’

“Anyone monitoring the email would be able to see the size of the message but that’s about it,” Callas explained. “Of course, if the owner’s device has already been subverted by malware then the private key can be found, but it’s as secure as it can be, we think.”

The team will open source all of the code and invite the community to poke holes in it and find weaknesses. The first version of the basic code will be out next year, Callas said, but the team also wants to build components that would allow companies and email providers to easily add the technology to their systems.

So far interest in the system has been high, Callas said, with many people in the security industry getting in touch wanting either more details or offering to help. However, no one from the government has been in contact at this time.

Services such as this are bound to bring up the accusation that the Dark Mail Alliance is aiding the four horsemen of the infocalypse: terrorists, organized crime, pedophiles, and drug dealers. Callas refuted this, pointing out that there are already many existing laws for getting access to an individual suspect’s emails that would work just fine and that the group is “not fond of bad guys.”

He pointed out that in the case of Lavabit, Levison was happy to help with law enforcement requests for assistance. But he shut down the email service because federal investigators looking into Edward Snowden’s account wanted full access to everyone’s email on the site, not just their target’s.

As for the name of the group, it has been reported that the inspiration for Dark Mail Alliance is somewhat Star Wars-based. But Callas pointed out that “dark” also means hidden or secret, as well as complex and rich, as in “a dark voice.”

“We had a discussion among ourselves about what to call Dark Mail, and we one of the reasons that we decided we liked it was that it is a complex word,” he said.

“Moreover, one of the the major corrosive effects of mass surveillance is that it causes people self-edit, to fear to do things unseemly, to be safe. We didn’t want to call it ‘Shiny Happy Mail.’ Dark Mail for us reflects our dark humor as well as the dark humors that surveillance puts us in,” he said.

“I think it’s sad that there’s been a flutter over ‘dark’ because it can mean only some things to some people. That is, however, the sort of thing that isn’t unexpected. These are dark times, and it’s hard to have a dark laugh.” ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/dark_mail_alliance_promises_nearly_nsaproof_email_next_year/

Supercharge your infrastructure

A hacktivst claiming to be part of Anonymous has backed a call by Google, Facebook and others to scrap proposed internet licensing rules in Singapore which have been described as state censorship by the back door.

In a YouTube video, the figure argues that “no government has the right to deprive their citizens the freedom of information”, and calls on “fellow Singaporean brothers and sisters” to protest on 5 November if the licensing proposals aren’t binned.

The hacktivist, who goes by the name ‘The Messiah’, has already been at work, defacing a web page of Singaporean newspaper The Straits Times with the message: “Dear ST: You just got hacked for misleading the people!”

It seems The Messiah wasn’t happy with the way the paper reported the video, after it “chose to conveniently modify the sentence ‘war against the Singapore Government’ into ‘war against Singapore’.”

The new Licensing Regime, which was revealed earlier this year by the Singaporean government, will require online news sites reporting on the city state to put up a “performance bond” of S$50,000 and “comply within 24 hours to MDA’s directions to remove content that is found to be in breach of content standards”.

Singapore’s government, which has been formed by the same party for over 50 years, either directly or indirectly owns traditional media. The new rules have therefore been seen as an attempt to bring to heel foreign owned and independent sites which locals read for less-likely-to-be-sanitised news.

The licensing proposals have already garnered strong opposition. Over 130 Singaporean web sites blacked out their home pages in June and activists attended a #FreeMyInternet rally in the city state’s Hong Lim park.

The Asia Internet Coalition, which lists Google, Facebook, Yahoo and others among its members, has also been highly critical.

The coalition wrote in an open letter to communications minister Yaacob Ibrahim in July that the proposed rules “could unintentionally hamper Singapore’s ability to continue to drive innovation, develop key industries in the technology space and attract investment”.

Despite its façade as a shiny, modern Asian nation, Singapore ranks a lowly 149th on Reporters Without Borders’ Press Freedom Index 2013, sandwiched by Iraq and Russia. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/singapore_anonymous_hacks_internet_rules/

While it may be important that security organizations employ effective methods to walking through an IT risk assessment, the frequency with which they go through that process is almost as important as the means of carrying them out. Unfortunately, even when security organizations cover all of their bases in an IT risk assessment, if they don’t assess often enough they could still be keeping themselves open to a great deal of risk.

Even though many compliance mandates such as HIPAA require risk assessments only be performed annually, that’s not nearly often enough for most organizations, says Gary Alterson, director of risk and advisory services for Neohapsis.

[How do you know if you’ve been breached? See Top 15 Indicators of Compromise.]

“Given the rapidly changing threat environment and how fast IT moves, I recommend that risk assessments be refreshed and reviewed at least quarterly, if not monthly,” Alterson says.

But the reality is that most organizations today have a hard enough time keeping up with their annual risk assessments, says Jim Mapes, chief security officer at BestIT, which is why he says that organizations have to rethink the way they approach the process.

“A better approach is to make risk assessments more of a life cycle and process within the organization,” he says. “Perform assessments continuously throughout the year, collecting data on new vulnerabilities, remediation of older vulnerabilities, and identification of problem areas where vulnerability could not be remediated and recording the business decision to mitigate the risk and impact to some other acceptable level.”

Crucial to that evolution to a life cycle mentality is building time and resources into the IT life cycle for internal auditors, says Alterson’s colleague, Nathaniel Couper-Noles, principle security consultant for NeoHapsis. According to Couper-Noles, one of the most common refrains he has heard from auditees is they’re too busy for an internal audit.

“Paradoxically, a lack of reserve capacity actually justifies audit attention as this is often the case when schedules are too aggressive, when projects are in the lurch, controls may be relaxed, and uncorrected small issues lead to bigger ones,” he says. “Audit early and audit often, and condition IT teams to design processes and systems so that they can be audited comprehensively, painlessly and effectively.”

Part of that design should include day-to-day tracking of operational risk factors that affect the business’ security posture. This is especially key for keeping track of changes in the IT environment or the threat environment that happen between assessments. While it may seem a tall task, organizations can at least get started on a more continuous assessment process by prioritizing.

“Don’t try to conquer the world all at once! Focus on what matters most by identifying the proprietary, financial, and customer data that we tend to be most risk-adverse about when it comes to its protection,” says Luke Klink, security consultant for Rook Consulting.

Finally, most critical is that organizations shouldn’t just be assessing risks but also working on mitigating them throughout the life cycle. Leaving the same critical risks to be identified in assessment after assessment is the security equivalent to wheel-spinning and something that Eric Cabetas, managing partner of Include Security, says says organizations do all of the time.

“I’ve seen a company have an AppSec SDLC assessment conducted yearly, and they pay $200,000 for it just to ignore the recommendations of the consulting company year after year,” he says. “The consulting company happily takes their pay and leaves until next year, not providing any value at all to the assessed company. They should have instead done an analysis of why originally identified risks are not being addressed within the client company.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/risk/once-a-year-risk-assessments-arent-enoug/240163427

National Cyber Security Awareness Month is drawing to a close, and the final week has been focused on the growing intersection between cyber and physical security when protecting the nation’s critical infrastructure.

Here at Naked Security our focus during NCSAM has been on what we can do as individuals to better protect ourselves, so we thought we’d personalise this final week’s theme and look at how you can protect your critical infrastructure.

Most of our readers come from North America and Western Europe and are probably lucky enough to expect taps that flow, lights that switch on and telephones that ring (when they should). This reliability can breed complacency: we only realise the importance of something when it’s no longer working.

Of course achieving such reliability isn’t simple. If you work in IT you can probably appreciate how much effort goes into keeping a service running 24/7/365 even in relatively benign conditions. Throw in some adversaries and things get a lot harder.

Likewise, it’s easy to overlook the security of IT infrastructure that “just works”. Worse yet, it’s likely to be the low level stuff that nobody wants to touch. It’s probably not been patched for years yet it’s absolutely critical for your business.

Here are a few areas to consider:

Power. Today’s uninterruptible power supplies and power bars are pretty clever bits of kit. Unfortunately, anything that’s clever probably has a significant attack surface. Pay particular attention to anything that has an IP interface. It’s likely running an embedded system that needs patching just like your servers.

Server management cards (IBM RSA, HP iLO, Dell DRACs etc): these things are notoriously flakey and hard to manage.  If an attacker gets access via one of these cards it is, by design, as good as physical access and game over for your data. They all ship with default passwords which are just a quick Google away, and the difficulty of managing them (often requiring a server reboot) means it’s easy to forget to change them. Worse yet, they also tend to run IPMI (the Intelligent Platform Management Interface), turned on by default. You might not even realise you’re running it but serious security flaws have recently been found in many vendors’ implementations.

Given the difficulty of managing these embedded systems, it’s a very wise idea to keep them well firewalled off from your main network and the internet. Only trusted administrators should be given access to their network. However this needs to be supplementary to patching and password management. Isolated networks can sometimes give a false sense of security. Given the complexity of server cabling or VLAN configuration you should plan for mistakes. At some point one of these devices will find its way onto the wrong network.

Lastly, it’s worth pointing out that your switches and routers are computers too. Cisco, particularly, have had a tough time recently with multiple serious IOS vulnerabilities. Again, a separate management network can help but if a vulnerability is exploitable via any IP interface, patching, good passwords and secure management protocols are absolutely essential.

If you want to read more about protecting your network and IT systems then you might enjoy our Practical IT guides to firewalls and handling perimeter expansion and disintegration.

Follow @Security_FAQs
Follow @NakedSecurity

Image of ZZZZ courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ze5B22MhEiM/

Cloud-based database services company MongoHQ is in “we’d better fix things” mode this week, following a network intrusion that proves the old adage that once you’ve been breached, all security bets are off.

And if you’re a database provider, any breach anxiety is no doubt greater than usual.

After all, it’s not just your own databases that were put at risk, possibly including data about your customers, it’s your customers’ databases, probably including data about your customers’ customers.

(Imagine, in Adobe’s recent SNAFU, if the multimedia giant hadn’t merely lost its own source code, but all your source code, too.)

Now, regular readers of Naked Security will know that I’m partial to a good apology when a company deals with a breach, and MongoHQ CEO Jason McCay didn’t disappoint, writing earlier in the week that the company was “deeply sorry this occurred.”

I know apologies don’t actually fix anything, but in the hush-hush world of computer security, unambiguous apologies often act as a signal that things aren’t going to get swept under the carpet.

That, in turn, probably means you’ll actually find out what happened, and instead of hearing platitudes like, “We’re going to fix this so you can trust us next time,” you’re more likely to hear, “This is what we’re doing so you can decide for yourself if you can trust us next time.”

So, what did happen, according to MongoHQ’s own admission?

Sadly, a series of weak security decisions were behind the intrusion:

• A user’s work account had the same password as one of his personal accounts, and his personal account got pwned. So the crooks were into both accounts at one stroke.
• MongoHQ’s internal support application was accessibly directly over the internet. So the crooks didn’t need to authenticate their way onto a Virtual Private Network (VPN) first.
• There was no two-factor authentication (2FA). So the personal password known to the crooks was enough all on its own.
• The support application gave access to customer account information, such as email addresses, hashed passwords and email addresses.
• The support application also allowed insiders to pretend to login as a customer, and to see exactly what that customer would see, “for use in troubleshooting customer problems.” So the crooks could effectively login to customer accounts without needing to know their passwords.
• There were no Access Control Lists (ACLs) to prevent support users from getting at data they didn’t need.

The only good news in all of this is that the customer passwords revealed to the crooks were hashed using bcrypt.

Bcrypt is a so-called keystretching function that ramps up the time it takes for a supplied password to be checked against its stored hash, by requiring various parts of the hash calculation to be repeated thousands or even tens of thousands of times, rather than just once.

That means it takes thousands or tens of thousands of times longer to check each password – not much of an inconvenience when you are validating passwords one-by-one when customers login, but a giant roadblock when you are a crook wanting to try a dictionary attack using millions of likely passwords.

As for the not-so-good items listed above: MongoHQ has already started working on addressing them all.

In fact, the company has gone so far as to say (my emphasis below) that it will keep its support application shut down until “we have obtained third-party validation that:

• we have functioning, enforced two-factor authentication,
• access to the applications is provided solely through VPN,
• [we have] a system of graduated permissions, tested thoroughly, that allows only the minimum needed privileges to support personnel based on role.”

That’s a laudable and a robust response, and – as it happens – it’s a great checklist for your own network security setup.

2FA, VPNs, and ACLs: your computer security allies.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tyuh2GpplEQ/

As the drumbeat of NSA revelations hit a new high yesterday with revelations that the agency can collect data moving across Google’s and Yahoo’s data centers around the world — two companies that recently shuttered their encrypted email services due to NSA surveillance concerns announced they are teaming to create a next-generation, open-source, end-to-end encrypted email protocol.

Silent Circle and Lavabit said they have launched Dark Mail, which will recruit other members to help develop a new encrypted email protocol for software developers and email service providers to adopt. The announcement was not in direct response to yesterday’s latest report by The Washington Post based on NSA documents obtained by former NSA contractor Edward Snowden.

The goal of the Dark Mail Alliance is to “bring the world a unique end-to-end encrypted protocol and architecture that is the ‘next-generation’ of private and secure email,” the companies said in an announcement on Silent Circle’s website. “What we call Email ‘3.0.’ is an urgent replacement for today’s decades old email protocols (‘1.0’) and mail that is encrypted but still relies on vulnerable protocols leaking metadata (‘2.0’) … Our goal is to open source the protocol and architecture and help others implement this new technology to address the privacy concerns over surveillance and back door threats of any kind.”

Silent Circle and Lavabit had separately shuttered their encrypted email services this summer in the wake of initial reports of NSA’s widespread surveillance programs that extended into spying on U.S. citizens’ traffic.

Jon Callas, CTO at Silent Circle, said his firm had to scrap its Silent Mail service because email was now “fundamentally broken from a privacy perspective.”

“This is an unfortunate example of the chilling effect the current surveillance environment is having on innovative communications companies,” he said in the company’s August announcement of its plans to drop the service.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/privacy/silent-circle-lavabit-team-on-new-secure/240163416

Last week I met with a firm to discuss compliance strategy for data privacy protection of Personally Identifiable Information (PII). A number of the state laws were potentially in play, including Massachusetts 201 CMR 17. We discussed what applications and databases were in use, how information moved, and some of their specific in house issues. Then I discussed the different technology options for each platform that were available, specifically mentioning what threats the products addressed, and the relative cost of implementation and maintenance. That is the point that, even over the phone, I could hear heads spinning on the other side of the line. Too. Much. Information. And far to complex for them to come away with any coherent strategy or action plan. Forget running, we needed to get to crawl. It was clear they did not have the time, the manpower, nor the budget to go through the full analysis process. And even if they did, it would have ended up with a half-dozen separate and distinct projects, each with their own learning curve, each with a different product to obtain, each with a different skill for managing.

That’s were we simply cut to the chase: I advised a single technology, in two specific implementations, that provided basic security across all the platforms for all of the use cases.

Why? Because it was going to address most of the issues they had — they were not even fully aware of the issues they needed to address — and it was within their capability to implement. I hate to do this as sometimes it feels like compliance for the sake of compliance. Personally I like to pick tools and technologies that best fit my category of need, be it compliance, security or whatever. That said, sometimes best of breed is not possible. Selecting ‘the best’ technical solutions app by app created project and operational complexity that would simply never work in this case.

I’ve talked a lot on this — and the Securosis blog – about how complexity makes it harder to do security. Certainly guys like Bruce Schneier and Dan Geer have covered this in great detail as well. Examples I’ve witnessed first hand are things like security settings being difficult to check made it more likely people will make a mistake or skip the process entirely. If code is hard to read then code reviews are less effective. Complexity makes things hard to understand and, in turn, result in less effective security. In this case complexity from an implementation and management perspective. Getting 90% of the way home was better then outright failure.

Does this sound cliche? Sure it does. Do companies till bite off more than they can chew? Absolutely. The person who wants the work done is a specialist and wants things done to their standards, often which are beyond IT’s capabilities. It’s a reality for many IT organizations that the best choice is often the simplest to implement, or the simplest to use.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading.

Article source: http://www.darkreading.com/database/simple-security-is-a-better-bet/240163405

While it may be important that security organizations employ effective methods to walking through an IT risk assessment, the frequency with which they go through that process is almost as important as the means of carrying them out. Unfortunately, even when security organizations cover all their bases in an IT risk assessment, if they don’t assess often enough they could still be keeping themselves open to a great deal of risk.

Even though many compliance mandates such as HIPAA require risk assessments only be performed annually, that’s not nearly often enough for most organizations,” says Gary Alterson, director of risk and advisory services for Neohapsis.

[How do you know if you’ve been breached? See Top 15 Indicators of Compromise.]

“Given the rapidly changing threat environment and how fast IT moves, I recommend that
risk assessments be refreshed and reviewed at least quarterly, if not monthly,” says Alterson.

But the reality is that most organizations today have a hard enough time keeping up with their annual risk assessments, says Jim Mapes, chief security officer at BestIT, which is why he says that organizations have got to rethink the way that they approach the process.

“A better approach is to make risk assessments more of a lifecycle and process within the organization,” he says. “Perform assessments continuously throughout the year, collecting data on new vulnerabilities, remediation of older vulnerabilities and identification of problem areas where vulnerability could not be remediated and recording the business decision to mitigate the risk and impact to some other acceptable level.”

Crucial to that evolution to a lifecycle mentality is building time and resources into the IT lifecycle for internal auditors, says Alterson’s colleague, Nathaniel Couper-Noles, principle security consultant for NeoHapsis. According to him, one of the most common refrains he’s heard from auditees is they’re too busy for an internal audit.

“Paradoxically, a lack of reserve capacity actually justifies audit attention as this is often the case when schedules are too aggressive, when projects are in the lurch, controls may be relaxed, and uncorrected small issues lead to bigger ones,” he says. “Audit early and audit often, and condition IT teams to design processes and systems so that they can be audited comprehensively, painlessly and effectively.”

Part of that design should include day-to-day tracking of operational risk factors that affect the business’ security posture. This is especially key for keeping track of changes in the IT environment or the threat environment that happen between assessments. While it may seem a tall task, organizations can at least get started on a more continuous assessment process by prioritizing.

“Don’t try to conquer the world all at once! Focus on what matters most by identifying the proprietary, financial and customer data that we tend to be most risk adverse about when it comes to its protection,” says Luke Klink, security consultant for Rook Consulting.

Finally, most critical is that organizations shouldn’t just be assessing risks but also working on mitigating them throughout the lifecycle. Leaving the same critical risks to be identified in assessment after assessment is the security equivalent to wheel-spinning and something that Eric Cabetas, managing partner of Include Security, says says organizations do all the time.

“I’ve seen a company get have an AppSec SDLC assessment conducted yearly and they pay $200,000 for it just to ignore the recommendations of the consulting company year after
year,” he says. “The consulting company happily takes their pay and leaves until next
year, no providing any value at all to the assessed company. They should have instead done an analysis of WHY originally identified risks are not being addressed within the client company.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/risk/once-a-year-risk-assessments-arent-enoug/240163427