Monday, April 10, 2006

Redaction blues

Agencies risk unwitting release of sensitive information using popular office software

A new front line of national and corporate security is emerging, and some of the most common document applications, including Microsoft Word documents and PDFs, are putting people on it without their knowledge. In the past several years, federal agencies and private-sector companies have released documents on the Internet that they thought did not contain sensitive content, but they actually did. That has led to embarrassment, scandals, firings and national security breaches when unintended readers discovered the hidden data.

Owen Ambur is calling to third party vendors to propose solutions. He is far too kind. Application developers have been grossly negligent and need to provide an intuitive from of redaction that would truly delete data. This is a disaster waiting to happen and if the nation suffers because someone didn’t properly redact data in a publicly released document, playing blame the end user will not be a successful PR strategy.

1 comment:

Ron Hackett said...

Application developers are far too busy developing new features to deal with the vulnerabilities caused by those new features. Their motivation is clear. Without new features, there is no incentive to upgrade to the latest software. Unfortunately, new features introduce new vulnerabilities that developers often overlook in their zeal to innovate. That’s why the third-party developers are important to the security equation. The third-party developer is not motivated by a need to produce a new feature – they are motivated by the need to find potential problems with those new features. This third-party mindset is crucial to enhancing security.

To-date, third-party developers in general have done a very poor job of developing quality redaction tools. Most of the current commercial offerings are lightweight tools that are only adequate in limited circumstances. These tools are not adequate for protecting classified data or national security information.

This lack of solid commercial redaction tools motivated SRS Technologies to develop a better product to meet robust redaction requirements. Document Detective version 2.0, which recently launched last month (, is the only commercial redaction tool specifically written to meet Government requirements for reviewing and sanitizing electronic documents that could contain sensitive and classified information. If you want a tool that does redaction right, you need Document Detective.