Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence [...]
The Electronic Frontier Foundation has published a report on the State of HTTPS Security that promises to be the first in a series and is well worth reading on its own. The TL;DR version: HTTPS adoption is growing rapidly, but the current system, especially the Certificate Authorities, has much room for improvement before it actually [...]
Ben Sapiro showed off his Binary Risk Assessment (BRA) at SecTor recently. While I didn’t see the presentation, I’ve taken some time and reviewed the slides and read through the documentation. I thought I’d quickly give my thoughts on this: It’s awesome and it sucks. IT’S AWESOME That’s not damning with faint praise, rather, it’s [...]
I’ve left Verizon. A lot of folks have come up to me and asked, so I thought I’d indulge in a rather self-important blog-post and explain something: It wasn’t about Verizon, but about the opportunity I’ve taken. Wade, Chris, Hylender, Marc, Joe, Dave, Dr. Tippett & all the rest – they were all really, really [...]
Yesterday, Epsilon and Sony testified before Congress about their recent security troubles. There was a predictable hue and cry that the Epsilon breach didn’t really hurt anyone, and there was no reason for them to have to disclose it. Much of that came from otherwise respectable security experts. Before I go on, let me give [...]
From Krugman (commentary is his): “Without metrics, you’re just another guy with an opinion. — Stephan Leschka, Hewlett Packard When I hear words from almost anyone about how their approach is better than some other approach, I think of this quote. And as Daniel Patrick Moynihan said: Every man is entitled to his own opinion, [...]
So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques. What we could use are data-driven pen test reports. “We [...]
Seriously. Interesting. Go check this out: http://securityblog.verizonbusiness.com/2011/04/12/veris-community-project-update/ Take a look, impact information!
Hey Kids, Reader Mark Wallace wrote in a comment to the blog yesterday, and I wanted to answer the comment in an actual blog post. So here goes: – Mark, Thanks for reading! There’s a point where publicly writing forces me to answer a few questions that I’m not ready to make a quick decision [...]
I participated in another security metrics and risk discussion yesterday (yeah, me talk about metrics & risk – you don’t say). As part of this discussion someone echoed a sentiment I’ve been hearing more and more of recently. A casual acceptance of the logic of metrics and data followed quickly by a dismissive, skeptical statement [...]