It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)!
This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to complain that vendors should give me the attention I deserve, NOT to pound my chest and [...]

Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback.
Most importantly, I would like to address this point:
“I consider that an implied or assumed value, which may bear no correlation to the real value”
Rich’s reference to something called a real value [...]

Robert Graham at Errata Security has yet another thoughtful post - this one on the “rudeness” of vulnerability disclosure. His key point:
“However, vuln disclosure isn’t friendly. It is an inherently rude act.”
It is an interesting post, primarily focused on the psychological relationship between bugfinders and vendors, but the thing I find the most puzzling is [...]

Ponemon Institute has issued its annual report on the cost of data breaches. I wrote last year about using per record costs for data breaches. An excerpt:
It is common when estimating costs of data breaches to quote costs “per record”. Most recently, Ponemon Institute released a study that asserted a cost of $202 per record [...]

In the past few weeks, the Advanced Persistent Threat (APT) has been all the rage in the infosec world.  Security professionals everywhere are taking sides about whether APT is new or not, despite (or perhaps due to) the lack of a clear and consistent definition.
It started with Google suggesting (but not explicitly stating) that the [...]

The Computer Security Institute recently released its 2009 survey results (must register). One of the charts in the executive summary lists the frequency of occurrence in the survey population. Without any other information more pertinent or specific to your organization, you can use this information for quick and dirty risk calculations. Let me illustrate.
The frequency [...]

Evan Schuman has an intriguing blog post on the McAfee blog about whether the reduced number of data breach reports at DataLossDB.com are indicative of fewer actual data breaches. His answer is unequivocally “No.” His reasoning is as follows:

Media outlets are less interested in data breaches and therefore not publicizing them as frequently.
Retailers, banks, and [...]

I just downloaded Microsoft’s Security Intelligence Report. Given my predisposition toward good stats, I am looking forward to reading it. Herewith is a running chronology of my thoughts as I read it:

opening pages - 25 authors! even more contributors! wow - it better be worth it…
232 pages!
page 8: “the most significant trend in 1H09 was [...]