An interesting debate/panel over at Matasano with perspectives from a pundit, researcher, and honest-to-goodness in the trenches security pro.
One of my biggest annoyances in the industry is the lack of good metrics for making informed decisions, and the overuse of crappy metrics (like ROI) that drive poor decisions. Of those valid metrics that wistfully dance with rainbows, unicorns, and pony-unicorns in my happiest dreams, those that correlate real-world fraud with real-world incidents stand alone on the peak of the rainbow bridge to metrics nirvana. I’ve written about our need for fraud statistics, not breach statistics, but often…
Good post to read over at the Burton Blog. A snippet:
Of course, the elements of G, R, C are not dead. Governing, managing risk, and responding to compliance obligations are ongoing and critical organizational tasks. The problem is conflating them into a single term. As Burton Group is inclined to say, GRC is a four-letter word that shouldn’t be spoken among polite company. Each function is deserving of its own, complete, and separate word. There’s no organization in which compliance…
For a while now I’ve been using different web browsers to compartmentalize my risk. Most of my primary browsing is in one browser, but I use another for potentially risky activities I want to isolate more. Running different browsers for different sessions isolates certain types of attacks. For example, unless someone totally pwns you with malware, they can’t execute a CSRF attack if you’re on the malicious site in one browser, but using a totally separate browser to check your bank balance.…
I’m still out at SANS, in a session dedicated to PCI and web application security.
Now, as you readers know, I’m not the biggest fan of PCI. The truth is (this is the “bad” part) it’s mostly a tool to minimize the risk of the credit card companies by transferring as much risk and cost as possible to the merchants and processors.
I’m out in Vegas at the SANS WhatWorks Summits on application security and penetration testing. I like the format of these events, which mix a few expert talks with a whole slew of user panels. I’ve previously spoken at the DLP and Mobile Encryption Summits.
Jeremiah Grossman is just finishing up his keynote at the SANS conference on web application security. Jeremiah and I have talked a few times about the future of web application security, and we both agree that many current approaches just can’t solve the problem. It’s increasingly clear that no matter how good we are at secure programming (SDLC) , and no matter how effective our code scanning and vulnerability analysis tools are, neither approach can “solve” our web application security…
The legendary Mike Rothman will be in Phoenix this week, so we’re going to call an emergency session of SunSec on Wednesday to celebrate the occasion. Rumor is we might also have another surprise guest or two.
Yes, it’s one of those weeks, with two webcasts and a conference (SANS Pen Testing and Application Security in Vegas).
This Tuesday I’ll be giving a webcast for RSA on encryption and key management. It’s heavy on the data center side; focusing on SAN/NAS/Tape, Databases, and Applications. Not much discussion of mobile or email, but a bit of file and folder (server based).