Security Balance

I agree with Ben Tomhave on this particular subject. He is basically saying that we still don’t have a good solution for reliable and repeatable risk assessments. I must say that this is not true to smaller scopes, like a single application or a small network or system. However, when we start talking about a [...]

I agree with Andrew Hay here:

Should the Helpdesk be a Mandatory Start for an IT Career?

For
anyone who has worked in a “front line” customer facing telephone
support role, the answer is almost always am emphatic “YES”. I tend to
agree with my colleagues for one simple reason – embitterment helps you succeed.
Why do I think IT folks [...]

This SANS Diary entry from Bojan Zdrnja is a very good explanation about how an apparently non-exploitable SQL Injection condition can be used to get important information from the database. Just by looking at one of the sample injected SQL statements you can see how complex a SQL Injection attack can be:
event = tr’ || [...]

Trying to be compliant PCI is a tough task. One of the biggest problems is to find good answers to common questions, as the “PCI specialists” are usually very evasive and will hardly give you a definitive answer. So, it’s extremely valuable when someone posts a set of common Q&A about the subject like this [...]

I’m maybe a little (a lot?) late on this, but I was reading this nice description of a packet capture analysis from the SANS forensics blog and just found that Wireshark can read SSL encrypted connections if you provide the private key! This is really nice ans useful. Here is a screenshot (also from SANS [...]

The last Verizon reports brought a lot of very good numbers to the Information Security space, so much in need for reliable data.  There is always the risk of people using numbers in a wrong way, falling into the famous “base rate fallacy” class of mistakes.
Check Pete Lindstrom comments on it, they perfectly illustrate how easy [...]