If you are prepared to put in the time and effort, there can be great reward in vulnerability research and disclosure, not to mention credit and kudos in the security community.
This week that sits in the shape of a blue hat sitting firmly on the head of Brit James Forshaw, head of vulnerability research at Context Information Security, who discovered a mitigation bypass technique in Internet Explorer 11 during its beta testing period in the summer.
I’m not one to say the beers are on Mr Forshaw this afternoon as the Context event I will be attending, but I am sure this work did not take limited effort and it is great not only for the industry that this bounty was paid to a UK-based researcher, but that Microsoft was prepared to put up such a sum of money for security research.
In the past, Microsoft has been criticised for payments for product development under the banner of the Blue Hat Prize, but what I think this payment will show is that research is valued and well worth the investment.
Sticking with Microsoft and vulnerabilities, this week saw the patch released to cover the zero-day flaw in Internet Explorer that has been bothering Redmond, and the security community globally. Reports were made of attacks in the wild and it was added to the Metasploit project, showing the seriousness of the issue. Microsoft took its time and didn’t do the knee-jerk reaction of an out-of-band patch and what was released was on its regular schedule.
Also released on this day was a patch for a second vulnerability which was found internally at Microsoft, quite how much this was being exploited is unsure, but even if it was being exploited on a minor scale then patching it with minimal disruption to users is a positive thing. All in all a good week for the Redmond-based software company, although it is likely to be a case of a countdown until the next zero-day is discovered. Counting down from 5…4…3..
Another story which appeared this week was the completion of the acquisition of Sourcefire by Cisco for a reported $2.7 billion (£1.7 billion). The announcement claimed that it is “now one company” and one community. Cisco’s announcement claimed that upon the completion of the transaction, Sourcefire employees join the Cisco Security Group led by Christopher Young, senior vice president of the Cisco Security Group.
News like this does make the industry stand up and take notice of how much a company is valued at, especially with a company such as Sourcefire who has has such success and kudos in the open source community through projects such as Snort.
My only concern, as is often the case with acquisitions, is that the acquired company ceases to be and becomes part of the wider machine of its new parent. I’ll avoid naming names, but it happens more often than is preferable and it has been a shame to see some great names, people and technology bundled into other product packages.
That said, sometimes the best new start-ups do appear from these acquisitions as founders find themselves cash-heavy and able to invest and begin a new project. Money; it makes security go round.