Back to You, Rob!
by alex on March 22, 2011
Rob is apparently confused about what risk management means. I tried to leave this as a comment, but apparently there are limitations in commenting. So here go: Rob, Nowhere did I imply you were a bad pen tester. I (…)
Actually It *IS* Too Early For Fukushima Hindsight
by alex on March 22, 2011
OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet? Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I (…)
What does Coviello’s RSA breach letter mean?
by adam on March 21, 2011
After spending a while crowing about the ChoicePoint breach, I decided that laughing about breaches doesn’t help us as much as analyzing them. In the wake of RSA’s recent breach, we should give them time to figure out what happened, (…)
SIRA Meeting! THURSDAY
by alex on March 8, 2011
THURSDAY, THURSDAY, THURSDAY!!!!!!! Hi everyone! SIRA’s March monthly webinar is this Thursday, March 10th from 12-1 PM EST. We are excited to have Mr. Nicholas Percoco, Head of SpiderLabs at Trustwave, talk to us about the 2011 Trustwave Global Security (…)
Fear, Information Security, and a TED Talk
by adam on March 7, 2011
In watching this TEDMed talk by Thomas Goetz, I was struck by what a great lesson it holds for information security. You should watch at least the first 7 minutes or so. (The next 9 minutes are interesting, but less (…)
Measurement Priorities
by Chandler on March 5, 2011
Seth Godin asks an excellent question: Is something important because you measure it, or is it measured because it’s important? I find that we tend to measure what we can, rather than working toward being able to measure what we (…)
Fixes to Wysopal’s Application Security Debt Metric
by Russell on March 5, 2011
In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”. I like the general idea, but I have found some problems in his method. In this post, I suggest corrections (…)
Just Because YOU Think Your Clients Are Too Busy and/or Stupid Doesn’t Mean Everyone Else Is
by alex on March 1, 2011
Mike Rothman’s “Firestarter” on “Risk Metrics are Crap“. It’s very difficult to argue with a poorly constructed argument. Especially when I have no idea what a “risk metric” is. But best as I can tell, Mike’s position is that unless (…)