Back to You, Rob!

by alex on March 22, 2011

Rob is apparently confused about what risk management means. I tried to leave this as a comment, but apparently there are limitations in commenting.  So here go:   Rob, Nowhere did I imply you were a bad pen tester.  I (…)

Read the rest of this entry »

Actually It *IS* Too Early For Fukushima Hindsight

by alex on March 22, 2011

OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet?  Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I (…)

Read the rest of this entry »

What does Coviello’s RSA breach letter mean?

by adam on March 21, 2011

After spending a while crowing about the ChoicePoint breach, I decided that laughing about breaches doesn’t help us as much as analyzing them. In the wake of RSA’s recent breach, we should give them time to figure out what happened, (…)

Read the rest of this entry »

SIRA Meeting! THURSDAY

by alex on March 8, 2011

THURSDAY, THURSDAY, THURSDAY!!!!!!! Hi everyone! SIRA’s March monthly webinar is this Thursday, March 10th from 12-1 PM EST. We are excited to have Mr. Nicholas Percoco, Head of SpiderLabs at Trustwave, talk to us about the 2011 Trustwave Global Security (…)

Read the rest of this entry »

Fear, Information Security, and a TED Talk

by adam on March 7, 2011

In watching this TEDMed talk by Thomas Goetz, I was struck by what a great lesson it holds for information security. You should watch at least the first 7 minutes or so. (The next 9 minutes are interesting, but less (…)

Read the rest of this entry »

Measurement Priorities

by Chandler on March 5, 2011

Seth Godin asks an excellent question: Is something important because you measure it, or is it measured because it’s important? I find that we tend to measure what we can, rather than working toward being able to measure what we (…)

Read the rest of this entry »

Fixes to Wysopal’s Application Security Debt Metric

by Russell on March 5, 2011

In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”.  I like the general idea, but I have found some problems in his method.  In this post, I suggest corrections (…)

Read the rest of this entry »

Just Because YOU Think Your Clients Are Too Busy and/or Stupid Doesn’t Mean Everyone Else Is

by alex on March 1, 2011

Mike Rothman’s “Firestarter” on “Risk Metrics are Crap“. It’s very difficult to argue with a poorly constructed argument.  Especially when I have no idea what a “risk metric” is.  But best as I can tell, Mike’s position is that unless (…)

Read the rest of this entry »