Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a silver bullet! Threat modeling is yet another input into an over all risk analysis. And [...]
The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data. The improvement is remarkable. Just a decade earlier, at the time the safest, passengers were 10 times as [...]
Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist. His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1. Norm Wishes for “A globally-accepted organizational governance code, encompassing both risk management and internal control” Norm, if you mean encompassing both so [...]
In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.” This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post. So let’s discuss why Mr. Lacey has no clue [...]
The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account for risk in an equation, the amount of uncertainty would be a factor. risk != [...]
OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet? Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I can take it. And Twitter doesn’t really give you a means to explain why you [...]
In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”. I like the general idea, but I have found some problems in his method. In this post, I suggest corrections that will be both more credible and more accurate, at least for half of the [...]
No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments. Unfortunately, I’m not a very good writer because the majority of readers miss the point. Let me try again more succinctly: Just because you can codify a standard or practice doesn’t mean that this practice is sane. [...]
Lately there has been quite a bit of noise about the concept of “trust” in information security. This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having trendy new memes, things to sell you, and I thought that I might as well [...]
We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins. So I asked Twitter “What’s the best way to track security updates for [...]