Conflict of interest?

In the product review, First Look: RazorThreat Threat Analysis Console v 1.5 [March], Dr. Stephenson appears to have no prior knowledge of this product — and that he just stumbled across it while he was "on the prowl for the new, unusual and, above all, useful."

The fact is that this product was developed by Dr. Stephenson. The development began while he was at Eastern Michigan University. From what I have been told, he left EMU and continued to develop the product in private.

RazorThreat is now marketing TAC to the State of Michigan. They directly state that the tool is the same tool that Dr. Stephenson demonstrated to the state in July of 2006, only that it is now is a commercial product with a new user interface.

Alas, a glowing product review by Dr. Stephenson. Providing a product review for your own product (or a product that you developed) is clearly a conflict of interest. These type of ethics are horrible and totally unacceptable. Has Dr. Peter Stephenson duped SC Magazine or has SC Magazine duped the public?

- Blane Perry, Enterprise Security Analyst, Office of Enterprise Security, State of Michigan

Technology Editor Peter Stephenson responds: Thanks for your note, Blane. I'm glad to respond and clear up any misunderstanding. I not only did not develop the product, I had nothing to do directly with its development. The product was developed independently by Nathan Einwechter (software engineer) and Mike Lipinski (CTO of RazorThreat, I believe). I've known both of them for years.

That they used one of my theories is true, but there is far less of it in the product than it appears on the surface. They actually took a different direction for determining inter-domain communications than the one I published roughly four years ago. That theory is in the public domain. Additionally, they added a lot of features and capabilities that have nothing to do with any work I ever have done.

When I saw the finished product I was sufficiently impressed to do a First Look on it because it fits my criteria for a First Look product: it is innovative, it solves a problem and it does not fit directly in any existing category of security product.

I have not received one cent from RazorThreat or its principals in connection with the TAC. Currently, I have no anticipation of any money from them and we have no business arrangements of any kind relating to the TAC.

It's flattering to have someone build a successful product around one's research, but flattery is, I'm afraid, all that is in it for me at present.

Making the cut

Would you be able to answer for me why certain vendors are not included in your reviews and or awards that the magazine routinely publishes?

For instance, we run GFI MailSecurity and MailEssentials and never seem to see them compared to other vendors' products. Could it be because they are based in Malta?

Management routinely sees certain vendors' absence and asks questions. It would be nice to give them an answer on why certain vendors don't make the cut.

- Brian Roberson via email

Editor-in-chief Illena Armstrong responds: Each month we canvas the space for which we're doing reviews to send out invites to companies to participate (companies also approach us). For various reasons, some companies do decline to participate. This may be due to the timing of a new version or worries about their being able to test well against certain criteria. The reasons run the gamut. So we test those products whose companies have filled out and sign our test application.

The SC Magazine Awards are a different beast all-around. For consideration in any of the categories — Reader Trust, Excellence or Professional — a company or product must be nominated. For Reader Trust, our readers vote online during a designated period each year. Other awards comprising the Excellence and Professional categories are decided by a panel of judges I organize, who dedicate their time and expertise to choose winners.

Decreasing flaws

The opinion column from John Heimann of Oracle [March 2007] was right on and is a testimony to a proactive way to decrease security flaws and risks. However, Mr. Heimann did not mention a very important (and free) organization to aid in secure software development called Open Web Application Security Project (OWASP). OWASP is a not-for-profit organization that is dedicated to finding and fighting the causes of insecure software. The use of OWASP's Web Goat application helps teach developers to understand security issues by exploiting real vulnerabilities. Many organizations and agencies, such as PCI Standards, Department of Defense, Sprint, PricewaterhouseCoopers and IBM, have adopted their OWASP top 10 — a list of the most critical web application security flaws — and incorporated them into best practices or standards documentation.

Note: I have no affiliation with OWASP. I just think they are an excellent resource in fighting the battles of insecure coding.

Thank you for the opportunity to comment. You provide an excellent publication. Keep up the good work.

David Bennett, Westminster, Md.

Security clearances

I've just received the March '07 issue with a very interesting article written by Professor Danielle Zeedick of Norwich University [Opinions] on people placing "stupid" stuff on the internet and how it comes back to bite them later on when they try to go for clearances in the government.

As the information assurance manager for the 103D Fighter Wing, one of my jobs, amongst many others, is to inform the base populace about computer security (COMPUSEC) and how it affects the users, networks and access. I find this article in line as to what I'm trying to do in regards to security clearances and would like permission to use part or the entire article in our base newspaper?

One other thing, I enjoy your magazine every month, and look forward to each issue. Keep up the good work. Thank you and have a good day.

SMSgt Robert "Z" Zukauskas East Granby, Ct.


I am looking at page 45 of the March 2007 issue of SC Magazine. The photo above the title apparently shows participants at a previous SC Forum. What struck me as odd is the fact that there are no women, and no minorities discernable in the photo.

This issue is also supposed to be my last, requesting that I renew my free subscription...I think I'll pass.

- Ursula Rozanski, managing principal, president, Rozanski & Associates Inc.

Editor-in-Chief Illena Armstrong responds: For a recent salary survey we conducted [April], out of the 474 respondents only 10 percent were women. At the event photographed and shown in this issue, we had two women sign up out of about 45 men. Since we've been holding these Forums over the last three years, the female professionals at my company as well as those pros I ask to speak outnumber the women IT security pros who have signed up – historically no more than five at each event.

My female counterparts in the industry agree that we're still a minority. However, I'm heartened to see more and more women join the fray.

I regret to hear you're not interested in renewing, and understand your viewpoint.