Mike Rothman of Securosis stirs things up a bit with his “Risk Metrics are Crap” post. This type of exercise forces participants to make public commitments. In itself, this is not a huge deal since many positions of those in…
Metrics
Nuh, uh; Yuh, huh
by Pete Lindstrom • • Comments Off
(is that title the proper English spelling of two kids disagreeing? who knows…) Andrew Gelman’s enlightening blog points to a great example how scientific research helps us get smarter. He excerpts: Three articles published [by Brett Pelham et al.] have…
Vulnerability Creation vs. Discovery vs. Fix
by Pete Lindstrom • • Comments Off
Michael Janke at Last In, First Out is rightly concerned about the respective run rates of the vulnerability creation process and our ability to fix them individually. He asks the question “Are we creating new vulnerabilities faster than we are…
Announcing: The Month of No Bugs (MONB)!
by Pete Lindstrom • • Comments Off
It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)! This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to…
There is no such thing as *Real* Value
by Pete Lindstrom • • Comments Off
Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback. Most importantly, I would like to address this point: “I consider that an implied or assumed value,…
Rudeness, risk and vulnerability disclosure
by Pete Lindstrom • • 1 Comment
Robert Graham at Errata Security has yet another thoughtful post – this one on the “rudeness” of vulnerability disclosure. His key point: “However, vuln disclosure isn’t friendly. It is an inherently rude act.” It is an interesting post, primarily focused…
More Breach Costs “per record”
by Pete Lindstrom • • Comments Off
Ponemon Institute has issued its annual report on the cost of data breaches. I wrote last year about using per record costs for data breaches. An excerpt: It is common when estimating costs of data breaches to quote costs “per…
Addressing the Advanced Persistent Threat (APT)
by Pete Lindstrom • • Comments Off
In the past few weeks, the Advanced Persistent Threat (APT) has been all the rage in the infosec world. Security professionals everywhere are taking sides about whether APT is new or not, despite (or perhaps due to) the lack of…