Grey bar Blue bar
Share this:

Mon, 4 May 2009

Zappos number 1 priority

[] is one of those companies people love to write about. They make headlines for their use of new media and their CEO (Tony Hsieh) is as .com legendary as one gets.. (he sold LinkExchange in 1998 for $265 million and under him zappos went from $1.6 million in sales (2000) to $840 million in sales (2007)).

He recently gave a talk at the [Web 2.0 conference].

He talks about how they invest in the customer experience, free shipping bouquets, and suprise shipping upgrades to get customers products delivered before they expect it.. This is all cool, and im sure people love them for it, but then he goes on to mention their number 1 priority as a company..

"Its actually not customer service. Our #1 priority as a company is company culture!"

He goes on to say "Its our belief that if we get the culture right, the rest of the stuff like great customer service will happen naturally". The remaining 10 minutes of his talk are on why company culture matters..

I have so much i want to say about this, and why i think building and maintaining the right culture makes or breaks an organization, but i dont think i can beat his simple eloquence. "Our #1 priority as a company is company culture, Its our belief that if we get the culture right, the rest of the stuff .. will happen naturally"


Thu, 12 Mar 2009

Attack Vector based Risk Management?

Interesting post by Michael Dahn at discussed (again) the difference between compliance and security. Do you know the joke about the difference between a canary? Apparently, its one leg is the same. Well, according to the post, the difference between compliance and security is... there is no spoon. I'm sounding facetious, but the post is actually not bad. Read more…

But actually, there was another part of the post that caught my eye. Its the comments about 'Attack Vector based Risk Management' or 'AVRM'. Not much is said about this except:

This means simply that you cannot economically defend your home until you better understand the evolving threat landscape. For example, if you know that attackers are breaking into cars in your neighborhood and stealing the 8-track players then putting another lock on your front door will not solve the problem. You need to start parking your car in your garage or putting a better surveillance system outside your house. Sure you could build a fortress to keep all your systems inside but that’s not economically feasible (especially these days.)
And later:
Try to imagine a world where there are not QSAs making point-in-time assessments but an internal and ongoing process of review and maintenance. It is only then that you will realise the truth, which is to say that it’s not compliance you dislike but the attackers, and only by understanding their motivations and patterns can you better protect against them.
There's not much more on the topic (anywhere on the net), but it resonates quite a bit with our own thinking about 'Corporate Threat Modeling' (Slides on CTM from CSi NetSec 07). I'd be interested to see more on how this works...


Tue, 28 Oct 2008

You know you are getting old..

When you blog a link to poetry:

[The man watching] is a poem by Rainer Maria Rilke, that i picked up from a talk by Tim Oreilly during his [recent talk] where he chided the audience for focusing on trivial banalities while leaving bigger problems un challenged. A subsequent speaker picked up the theme, and likened it to abandoning NASA to work on DisneyLand.

I think the sentiment is grand, and the poem is inspiring.. and in particular the following lines, are probably going to keep me up nights for a while:

What we choose to fight is so tiny! What fights us is so great!

When we win it's with small things, and the triumph itself makes us small.

Winning does not tempt that man. This is how he grows: by being defeated, decisively, by constantly greater beings.


Sat, 26 Jan 2008

On working when everyone else is asleep...

This quote reminded of something H always says:

"When opportunity comes... its too late to prepare"

- John Wooden - Hall of Fame Basketball coach

Thu, 10 Jan 2008

Is URL / Variable Name the new Port Number ??

There has been a fair bit of blog buzz about the new SQL Injection worm that ran around infecting sites. I have not looked too deeply into it, but have not yet seen accounts of how the targeting was done. Since the sites do not appear to have been running a common framework i would guess that it was search-engine generated targets based on resource name (like inurl: search.asp)..

For ages we have been telling people that if they had to have a /admin/admin.asp on their internet facing web-app that they would at least help minimize their exposure a little by naming it /admin_[bet_u_dont_find_this]/admin_[another_variable].asp

It at least makes sure that the back-end isnt trivially discovered and hammered on.. (yes this is security through obscurity - but please lets not have this argument unless you mail me with a subject line - "Security by obscurity is useless and here are my banking details to prove it" )

Whats mildly interesting is that considering the possibility of injection targeting through a search for "login.asp", then a simple speedbump would have been naming your resource "login_to_customer_portal.asp". Of course this doesnt make you un-findable, and doesnt protect you from directed attack, but neither did running your SSHD on a non standard port, but we do that anyway to make sure that we dont get hit by the next big SSHD worm..