Evaluating the Oracle Security Manifesto

Tuesday, August 30, 2011

Evaluating the Oracle Security Manifesto

The cool thing about Mary Ann Davidson is she doesn’t mince her words; you know where she stands on every issue and she is willing to own it in the security world. So when I started hearing some buzz about her latest blog post - Those Who Can’t Do, Audit - I expected some sizzle. [...]
Continue Reading...
My Dream Metrics Status Report

Thursday, May 12, 2011

My Dream Metrics Status Report

“Last month, our IT and information assets generated $20 million in revenue in support of 15,000 people using 350 applications. To accomplish this feat, over 32 million connections were attempted across our systems and we applied specific control measures an average of 2.4 times per connection to ensure the completeness and accuracy of our transactions. [...]
Continue Reading...
Attention InfoSec Pros: measuring risk is in your future

Thursday, March 3, 2011

Attention InfoSec Pros: measuring risk is in your future

Mike Rothman of Securosis stirs things up a bit with his “Risk Metrics are Crap” post. This type of exercise forces participants to make public commitments. In itself, this is not a huge deal since many positions of those in our space are relatively well documented already, however, anyone familiar with Cialdini knows that commitment [...]
Continue Reading...
Nuh, uh; Yuh, huh

Friday, February 11, 2011

Nuh, uh; Yuh, huh

(is that title the proper English spelling of two kids disagreeing? who knows…) Andrew Gelman’s enlightening blog points to a great example how scientific research helps us get smarter. He excerpts: Three articles published [by Brett Pelham et al.] have shown that a disproportionate share of people choose spouses, places to live, and occupations with names similar [...]
Continue Reading...
Vulnerability Creation vs. Discovery vs. Fix

Monday, October 25, 2010

Vulnerability Creation vs. Discovery vs. Fix

Michael Janke at Last In, First Out is rightly concerned about the respective run rates of the vulnerability creation process and our ability to fix them individually. He asks the question “Are we creating new vulnerabilities faster than we are fixing old ones?” after providing a list of publicly disclosed vulnerabilities from various time periods. I [...]
Continue Reading...
Verizon PCI Report: the PCI 80/20 Rule

Monday, October 4, 2010

Verizon PCI Report: the PCI 80/20 Rule

Today, Verizon released its Verizon 2010 Payment Card Industry Compliance Report which I had the pleasure of working on. One of the most interesting things in my opinion is the PCI 80/20 Rule. The broad results of the report show that approximately 80% of companies fail to pass the initial PCI audit. In addition, we [...]
Continue Reading...
prev next
Posted on January 25 2012 Read more...

Vulnerability Research in the age of Embedded Systems (SCADA)

I have a post over at the Verizon Business blog (Considering Vulnerability Disclosure in the Realm of SCADA Systems) about how vulnerability discovery and disclosure impacts risk. Although it provides a basic risk model that can be applied to any situation, it focuses on the recent SCADA disclosures by Digital Bond and Rapid7. These are some ...
Posted on August 30 2011 Read more...

Evaluating the Oracle Security Manifesto

The cool thing about Mary Ann Davidson is she doesn't mince her words; you know where she stands on every issue and she is willing to own it in the security world. So when I started hearing some buzz about her latest blog post - Those Who Can't Do, Audit - I expected some sizzle. ...
Posted on August 22 2011 Read more...

Liability and Secure Software

iang over at Financial Cryptography has a thought-provoking discussion of liability (ht @alexhutton) and its corresponding risks. I think I added a comment (but can't be sure) that said this: Culture and consciousness is all a distraction and very malleable. What really matters at the end of the day is the relative number of vulns in ...
Posted on May 12 2011 Read more...

My Dream Metrics Status Report

"Last month, our IT and information assets generated $20 million in revenue in support of 15,000 people using 350 applications. To accomplish this feat, over 32 million connections were attempted across our systems and we applied specific control measures an average of 2.4 times per connection to ensure the completeness and accuracy of our transactions. ...
Posted on April 29 2011 Read more...

Dr. Laura as Information Security Officer

[One of my first Trend Watch essays circa 2000 or whenever Dr. Laura - the queen of saying "no" - was popular] Dr. Laura: “Hello Kate, you’re on the air” Kate: “Hi, Dr. Laura, thanks for taking my call. My security dilemma is that I would like to open a port in our firewall…” Dr. Laura: “ No. ...
Posted on April 4 2011 Read more...

Thinking about APTs and the RSA Hack

The recent RSA hack has once again (after Google and Aurora made a big splash a little over a year ago) brought to the surface this notion of an "advanced persistent threat." There is great emotion on all sides of the debate about what it is and whether it matters. As I listened to Uri ...
Posted on April 4 2011 Read more...

EMC (RSA) Acquires Netwitness

It is no surprise that EMC has acquired Netwitness. Looks like they are serious about this security stuff ;-) Here is a list of EMC / RSA acquisitions through the years, for your historical enjoyment: July, 2001 RSA Security acquires Securant March, 2006 EMC acquires Authentica April, 2006 RSA Security acquires PassMark June, 2006 EMC acquires RSA Security September, 2006 EMC ...
Posted on March 18 2011 Read more...

Just a Reminder for RSA: The “P” in APT stands for “Persistent”

RSA's Chairman Art Coviello has issued an open letter to its customers about a security breach that resulted in lost information related to SecurID. Two lines don't seem to go together: "Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against ...
Page 1 of 10512345»...Last »