The recent Sony Pictures breach is a stark indicator of how complete and thorough a compromise could be. Sensitive email conversations between executives, marketing plans and various projects have all been exposed and while the rumours have flown thick and fast as to the identity or sponsors of the attacks, for illustrative purposes, it really doesn't matter. The ultimate point being that a small group of individuals of sufficient skill can compromise a multi-billion dollar company.
Back in 2009 I wrote a blog post about vulnerability disclosure. It's interesting reading the post four years later, looking at things that have happened at places I've worked, vulnerabilities I've reported personally or watched others submit.
The security industry seems to be broadly polarised by the Attorney-General's recent announcement of the formation of CREST Australia (Council of Registered Ethical Security Testers). For those who have not kept pace with this piece of news, CREST Australia has been chartered by the AG's office to certify the competency of penetration testers within Australia. Now, I've spoken with quite a few people and I am quite surprised at the variety of responses—particularly from people I would have expected to endorse it.
"If a nation values anything more than freedom, it will lose its freedom: and the irony of it is that if it is comfort or money that it values more, it will lose that, too." -- William Somerset Maugham