Security analysis

In response to today’s Security Commandment one alert reader asked:   Hi Rich,    I like the advice!  Unfortunately, all my direct reports havereligion about this.
Written by Richard Stiennon, Contributor

In response to today’s Security Commandment one alert reader asked:


Hi Rich,


   I like the advice!  Unfortunately, all my direct reports have

religion about this.  My question is, how should I compare platforms

in an objective and reproducible fashion?


Confused in pointy-hair land,



Dear Confused:


The way to counter religious arguments in IT is with the almighty dollar.  This was how Microsoft created a beach head in the data center. I remember hearing “Reliability? Heck we can just buy two NT servers and swap one out if it fails!”   Microsoft succeeded in transferring expense away from the platform and into operations.


So here are some tips for comparing platforms.


  1. Ask how many security updates have been issued in the past year? This will tell you how much operational resources will be needed to maintain the system.
  2. How many pieces of malware were in the wild that targeted the platform in the last year?
  3. What is the average up time? Look at examples within your organization and find examples for competing platforms at other organizations.


And finally, just today there is a new tool announced by Mu Security that is going to impact the security equation for platforms. 


Mu Security is coming out of stealth mode today, April 3, 2006.  Their product is an appliance that does security analysis against stand alone devices/applications.  This is not vulnerability scanning.  Security analysis is the process that hackers and a very few security experts use to break devices or applications.  This process is used to come up with all those new vulnerabilities that get published to Bugtraq.


Mu Security  tests based on known attack vectors and thousands of permutations of them. It automates the exhausting analysis required to fully test and discover vulnerabilities.  


What I like about this is you could run the Mu device against competing platforms and get an objective measure of the security posture. 


What I like even more is that vendors, once they realize they are losing out on deals because they are failing these tests, will start doing their own security analysis.


Good luck in pointy-hair land.


Editorial standards