Mike Rothman of Securosis stirs things up a bit with his “Risk Metrics are Crap” post. This type of exercise forces participants to make public commitments. In itself, this is not a huge deal since many positions of those in our space are relatively well documented already, however, anyone familiar with Cialdini knows that commitment [...]

(is that title the proper English spelling of two kids disagreeing? who knows…) Andrew Gelman’s enlightening blog points to a great example how scientific research helps us get smarter. He excerpts: Three articles published [by Brett Pelham et al.] have shown that a disproportionate share of people choose spouses, places to live, and occupations with [...]

Michael Janke at Last In, First Out is rightly concerned about the respective run rates of the vulnerability creation process and our ability to fix them individually. He asks the question “Are we creating new vulnerabilities faster than we are fixing old ones?” after providing a list of publicly disclosed vulnerabilities from various time periods. [...]

Today, Verizon released its Verizon 2010 Payment Card Industry Compliance Report which I had the pleasure of working on. One of the most interesting things in my opinion is the PCI 80/20 Rule. The broad results of the report show that approximately 80% of companies fail to pass the initial PCI audit. In addition, we [...]

It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)! This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to complain that vendors should give me the attention I deserve, NOT to pound my chest [...]

There has been a lot of discussion lately about vulnerability disclosure, with Google and Microsoft respectively weighing in with their latest opinions on the topic. There is really nothing new here, as evidenced by the Google folks referencing a 9-year-old Bruce Schneier essay on the topic. I have written extensively on the topic and the [...]

Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback. Most importantly, I would like to address this point: “I consider that an implied or assumed value, which may bear no correlation to the real value” Rich’s reference to something called a [...]

Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system – demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…) At this stage [...]