Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success, we’ve already seen publications inspired by it, such as Moving Fast and Breaking Things: How to stop crashing more than twice, and I know there’s more forthcoming. I’m…Read More Empirical Evaluation of Secure Development Processes
“90% of attacks start with phishing!*” “Cyber attacks will cost the world 6 trillion by 2020!” We’ve all seen these sorts of numbers from vendors, and in a sense they’re April Fools day numbers: you’d have to be a fool to believe them. But vendors quote insane because there’s no downside and much upside. We…Read More Leave Those Numbers for April 1st
Then he explained the name was important for inspiring the necessary fear. You see, no one would surrender to the Dread Pirate Westley. The DREAD approach was created early in the security pushes at Microsoft as a way to prioritize issues. It’s not a very good way, you see no one would surrender to the…Read More The DREAD Pirates
This is a survey from Doug Hubbard, author of How To Measure Anything and he is currently writing another book with Richard Seiersen (GM of Cyber Security at GE Healthcare) titled How to Measure Anything in Cybersecurity Risk. As part of the research for this book, they are asking for your assistance as an information…Read More Survey for How to Measure Anything In Cybersecurity Risk
Recently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM…Read More A Mini-Review of "The Practice of Network Security Monitoring"
Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t show me the money, show me the data. First, I’m unsure what’s actually meant by…Read More Active Defense: Show me the Money!
There’s been a lot of noise of late because Oracle just released their latest round of patches and there are a total of 78 of them. There’s no doubt that that is a lot of patches. But in and of itself the number of patches is a terrible metric for how secure a product is.…Read More Oracle's 78 Patches This Quarter, Whatever…
(From The Oatmeal.) It’s widely understood that Seattle needs a better way to measure snowfall. However, what’s lacking is a solid proposal for how to measure snowfall around here. And so I have a proposal. We should create a new unit of measurement: The Nickels. Named after Greg Nickels, who lost the mayorship of Seattle…Read More Seattle in the Snow
On Friday, I watched Eric Ries talk about his new Lean Startup book, and wanted to talk about how it might relate to security. Ries concieves as startups as businesses operating under conditions of high uncertainty, which includes things you might not think of as startups. In fact, he thinks that startups are everywhere, even…Read More Lean Startups & the New School
The fine folks at Securosis are starting a blog series on “Fact-based Network Security: Metrics and the Pursuit of Prioritization“, starting in a couple of weeks. Sounds pretty New School to me! I suggest that you all check it out and participate in the dialog. Should be interesting and thought provoking. [Edit — fixed my…Read More Securosis goes New School