In his book 7 habits of highly effective people, Steven Covey describes presents universal habits which can be applied to any person, organization, profession, corporation, or business. As part of habit 3, “put first things first”, he describes a way to classify activities in terms of importance and urgency . He has a basic four box matrix that looks like this:

	Urgent	Not urgent
Important	I (crisis)	II (Prevention)
Not important	III	IV

His point is that too many people spend too much time in box I, which is the crisis box. Crises, in his words, “act on you, rather than you acting on it”. The solution he says is to spend more time in box II – things which are important but not urgent. To give a brief example, if you were suffering a heart attack and needed medical attention, that would constitute a box I event – it is both urgent and important. A box II event would be exercise and proper diet, which would ultimately reduce your likelihood of having the heart attack in the first place. By working more in box II, you ultimately shrink the amount of time you spend in box I. Security is, almost by definition, a box II item – it is important, but rarely urgent. However within our profession this matrix can still be applied, and I think that properly classifying and thinking about these activities can greatly help an infosec individual or group better prioritize it’s activities.

	Urgent	Not urgent
Important	Incident detection, Incident containment Incident eradication Deploying urgent patches because the newest worm is tearing you apart	Security reviews Hardening systems Deploying secure technologies like DNSSec, VPNs, SPF, DKIM, etc. code review Implementing a good patch management policy User awareness training
Not important	Regulatory compliance Complying with legal requests/issues	Playing solitaire

I’m clearly not saying that you should all start to simply ignore the crises that regularly crop up in your line of work, however I think that entities which focus on box II items will ultimately see far more benefit than those that ignore those things (as they’re not urgent), and will end up spending all their time in box I.

Chris Wysopal has a good article in securityfocus about security reviews of outsourced software. I must admit I agree with just about everything he said (that you need to do due dilligence on the code that was outsourced, just like you do for internally developed code). However, there is one factor missing from the article. The reason so much development is outsourced these days is because companies don’t want the hassle/cost/overhead associated with doing their own development. Security is included in that. If a company doesn’t want to go through the hassle of hiring their own developers and doing QC on their own code, what makes you think they’re willing to hire security experts to do QC on the code they outsource?

Although there are many solutions, including having a third party review built into the outsourcing contract, one obvious solution that comes to mind is having third party certifications, similar to the common criteria or DITSCAP.

A few months ago I found a XSS vulnerability in a product used by many people. I contacted the vendor, which happens to be a very large entity. (No, it’s not Microsoft, but that’s the only hint I’ll give). Here’s the timeline of what’s happened so far:

• Dec 18 2008 – I send an email informaing them of the problem, and showing them what was needed to replicate it.
• January 8 2009 – They sent me a response saying they were “evaluating and will get back to me”.
• Feb 12 2009 – I send a followup email asking what’s going on.
• March 5, 2009 – I get a response saying that they have verified the issue, and are working on a fix.

So, does this seem like a reasonable timeline? Should I be pushing harder? This isn’t the biggest vulnerability in the world, but it still seems like something that should be fixed, and the fix shouldn’t be that hard.

It’s about time someone made this tool. Warvox uses a VoIP connection to do it’s war dialing. Because it uses VoIP, it can dial multiple numbers on parallel. It also has some good built in analysis features to find things like voicemail.