RealSecurity

Since the advent of SATAN the question of tool verses whitehat has permeated the security industry. The question is founded on the effectiveness of a tool in finding system vulnerabilities when compared to what a human can do. How does all this play into application testing?

Earlier this week NSA’s Schaeffer stated in a meeting with Congress that the NSA collaborated with Microsoft in the development of Windows 7 by leveraging their “…unique expertise and operational knowledge of system threats and vulnerabilities…” As one would expect there are a number of mixed reactions in the security industry.

Adding to the malaise, each state will look at what others are implementing and implement their own version. In short order you will have – as we currently have with iterations of SB-1386/AB-700 in several other states – different laws with very similar demands, but differences in expectations. It will take time for the federal government to normalize as a singular law, but by then the states will have moved on to a new regulatory target and the cycle repeats.

Admittedly, I may not have all the information. Nevertheless, a cursory glance makes me tilt my head in wonder. Last Friday, Facebook was awarded $711M in fines levied against Sanford "Spamford" Wallace, who gained access to numerous accounts on their site to send porn-promoting spam to their unsuspecting friends. This represents the second largest judgment based on the CAN-SPAM Act in history. Interestingly, the largest, $873M was also awarded to Facebook because of Canadian spammer Adam Guerbuez in 2008.