Just the facts ma’am:

• Rank on Inc. 500: #350
• Three-year revenue growth: 840%
• Rank on Top 100 DC-area companies: #27
• DC area ranked #1 for most companies on the Inc. 500 list; #2 for most companies on the Inc. 5000 list (behind NYC)
• 2^nd fastest-growing software company in the DC area (Note: we got categorized as IT Services but of course we really fall under “Software”. They never seem to have a “Technology Appliances” category…)

Read the full press release here.

We’re loving it because of the awards we’ve applied for over the last few years and haven’t won. (Or maybe only I care about this since I had to fill out all those applications. Hmmm, I’m sensing a pattern here…) But in this case, it’s all about the numbers.

We love this part of our story because it comes down to customers actually believing in you and your product enough to plunk down the money – and keep coming back for more once you prove yourself the first time. It’s not about the hype or the latest flash in the pan or “sponsorship” or how much money some VC gives you. It comes down to you, your product and your happy customers.

The rate of total homicide and the rate of homicide due to mental disorder rose steadily until the mid-1970s. From then there was a reversal in the rate of homicides attributed to mental disorder, which declined to historically low levels, while other homicides continued to rise.

Paper and press release.

Remember this the next time you read a newspaper article about how scared everyone is because some patients escaped from a mental institution:

We are convinced by the media that people with serious mental illnesses make a significant contribution to murders, and we formulate our approach as a society to tens of thousands of people on the basis of the actions of about 20. Once again, the decisions we make, the attitudes we have, and the prejudices we express are all entirely rational, when analysed in terms of the flawed information we are fed, only half chewed, from the mouths of morons.

I was just reminded of this randomly just by reading this list of new tools released at the Defcon this year. Sounds like a busy conference, with a lot of hackers who love what they do. Good stuff.

It has become more like a global fair than what most people think of conferences; even the badge is highly unique. I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!” so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse it’s hard to find all of the “stuff” they release.

Read the list and full article here

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...]]> Mon, 18 Aug 2008 20:00:00 +0000 payment card industry data security standard release represents version pci dss summary october pdf minor PCI Compliance: Reaction to the Summary of Changes http://securityratty.com/article/803e2f6db1563e98882d0a71faf66398 http://securityratty.com/article/803e2f6db1563e98882d0a71faf66398 Cloud Computing will also cure the common cold! Not really. But amidst all the hype and overly-used marketing speak it’s hard to tell the difference. Researchers from the University of Michigan announced CloudAV, a network service using the “cloud-computing” concept to fight malware. Please stop the insanity! I’m just waiting for someone to put “my” and “cloud computing” together…

Here’s an interesting post on High Earth Orbit about the usage and promotion of open source software for defense contracts. As a developer of open source tools, Andrew Turner of course brings up some “pros” for the government to push open source, but it’s the “cons” that are really interesting. A big “con” – the US government having something called “sovereign immunity” which apparently means something like it can’t be sued unless it consents to be sued. Hunh – the Republic of ScienceLogic-Land? Closing the loop here, a federal appeals court just boosted open-source software licenses by saying that any infringements can now get more severe remedies under copyright law (instead of contract law); here’s the case, Jacobsen v Katzer. But apparently not if it’s the US government?? Who knows more?

Does Linus Torvalds hate everyone except for developers? You have to check out this article on an email exchange he had with Network World this week, talking about how fed up he is with the “security circus”. Over the course of the exchange and some other comments from last month, he manages to blast security folk, OpenBSD (on security) in particular, vendors and PR people (of course). In the midst of the barrage of colorful language, it’s difficult to really get his point – which if you can dig it out, ends up being surprisingly sensible.

Sharon Taylor, Chief Architect of ITIL V3, recently wrote that with the release of the latest version of ITIL, BSM is now an ‘ITIL best practice.’ You say potato… “The distinction between IT and the business has blurred, and the language of IT has been replaced with the language of the business.”

Today, allow me to update you on FAIR and the movement towards a formal, open standard.  There’s a couple of cool things going on in our little risk-world.

First, The Open Group Security Forum continues to move towards a formal adoption of FAIR.

WHAT DO YOU MEAN “WE” - YOU GOT A STANDARDS BODY IN YOUR POCKET OR SOMETHING?

Our meeting in Chicago a few weeks ago was great, but also slightly disturbing for me. I got pronoun-confusion syndrome.   I’m used to using the “we” pronoun to refer to RMI, or Jack and myself as we vet the models.  So without even thinking I would said “we have been looking at how loss occurs, and may want to change the model some” and The Open Group Members freaked out (rightfully so).  Adrian Seccombe gently reminded me that the “we” was now the Security Forum, and that “we” didn’t go changing things at will without vetting against each other.  Man I love this stuff.  I get to run our thoughts and ideas past some great folks now - you know, those smart people who tend to have really complex problems and are trying hard to solve them.

Formal Adoption:  Soon, Very Soon Now

Formal Adoption basically means we’ve made this document, everyone is close to saying that they generally like it, and once that finally happens then “bam”, we’re ready to move onward and upward with better things (see Cookbooks, below).  We’ve got a couple of changes to the current document that have been requested that aren’t a big deal.  For example, one request is that we make some statement about general applicability of FAIR to risk domains outside of the IT realm.   But once additions like that and others are done, this long process should be complete.

New Document Moving Towards Public Release:

We’ve got a basic document that should be public in the next few weeks on “What Makes a Good Risk Assessment Methodology” - written by yours truly and Jack.  It’s a very high-level document, and serves two purposes:

• For novices it helps parse out what is important in any undertaking to understand corporate risk (the repeated discussions on the ISO 27001 mailing list make me think it would be a place ripe for such a document).
• For those who “know” risk, it helps to re-establish some fundamental principles like the use of scales (ratio, please), the implications of dealing in probabilities, what attributes like consistency and defensibility mean, how “risk” should be reported to the business (something you know, meaningful) and so on.

When this doc is deemed ready for public consumption I’ll be sure to post on this blog here.

COOKBOOKS, EUROPEAN AGENCIES, AND, IRON CHEF “RISK” - WHOSE CUISINE WILL REIGN SUPREME?

One interesting thing that came up in the Chicago meeting was that ENISA (The European Network and Information Security Agency) developed a very nice document that reviewed something like 18 different risk assessment methodologies against their Criteria for Goodness.  FAIR was one of the ones they reviewed, and we (the royal “we” used there to include all us FAIR-Folk) did awfully well.  Things of interest:

1. They based their work on the current introduction paper which is not at all a step-by-step guide towards an organizational risk assessment (what ENISA really wanted) and we did pretty well.  Well enough that if we had developed a paper along the lines of NIST 800-30 or OCTAVE for the use of FAIR in a formal process, we could have done really, really well.  Like won-the-bake-off kind of well.
2. FAIR is actually not at all incongruous to many of the risk assessment methodologies offered, and in fact compliments many of them by letting those methodologies develop real, structured probabilities.  Think OCTAVE, where they basically say “math is (probabilities are) hard, so if you want to do them for reals, good luck!  But here’s a nonsensical way to do things if you want to believe in magic-fairy risk“.  FAIR fits right in there by stomping on the magic-fairy risk with the jack-boots of rationality.  FAIR similarly helps other risk standards that might lack structured probability development.

So The Open Group Security Forum decided that though we could create a new document and totally p0wn any future ENISA bake-off, there wasn’t much demand for the development of that documentation by the membership  - a point which was made quite apparent at the beginning of the discussion when one large European company CISO asked “What’s ENISA?”  Relevancy is everything, I suppose.

But that second item up there - the one about helping rather than competing with other “risk assessment methodologies” - really struck a chord.  So “we” (The Security Forum) are going to develop some “Cookbooks” that basically are high-level documents that say “If you want to use FAIR with (OCTAVE/COSO/CoBIT/Whatever) here’s how it fits, makes it better, and improves your life.  I’m pretty excited about these, and our first document looks like it’s going to be COSO integration.

THE OPEN GROUP SECURITY FORUM - THEY’RE A TRUSTING BUNCH (WITH QUALIFICATION, OF COURSE)

Finally, many people have asked me “Why work with The Open Group?”  There are many reasons, to be sure, but I will give you one example.  Members of the Security Forum there are not only great at vetting the model and getting consensus on risk and risk factors - but they’re quick to start applying.  So in Chicago, I thought I’d be talking about FAIR and the standard and fighting groupthink.  Nope.  Not at all.  In fact, the forum members spent more time suddenly discussing use of FAIR in a new Trust Model they’re developing.  So all of the sudden, I’m part of a new and exciting project to develop a Trust Model - how cool is that?  While formal adoption of the Trust Model will be necessarily long and deliberate - the collaboration and development is happening much faster than I can keep up with.  But if you all will allow me, it will help me get my head around it all by blogging about it later this week.  So be prepared to read about me dealing in “Trust” a little bit.