This blog has been quite silent lately as I haven’t been finding anything interesting to write about. Even the Verizon report, there’s certainly interesting stuff there, but so many people have talked about it that I don’t even feel compelled to do it. Anyway, there’s at least one thing to mention. I’ve just changed to a new role on [...]
I left this awesome post from this SANS blog pass without saying anything here. It has 10 tips for IT auditors, and in my opinion it nailed down the key issues that I generally have with auditors. Some of the best pieces: Trying to find everything is often a mistake Auditing is never about catching [...]
Two posts in a day…I’m probably sick or something like that I was reading an interesting article by Bill Brenner on CSO Online, “Five Security Missteps Made in the Name of Compliance”. Although I don’t disagree with what is listed as missteps (in fact I think they are quite correct), something in the last paragraph [...]
I’m starting a Wave on Google Wave to build a collaboration piece on security decision making. Please send me your contact if you want to participate. It starts like this: Security decision making Dear security friends, I’m planning for a long time to work on a paper/presentation about security decision making. I was planning to [...]
Probably not enough content for a post, but certainly for a tweet It’s common to see on the security standards, frameworks and best practices a lot of “standard” ways of doing things like access control and patch management. The problem is the organizations are extremely different from each other, not only on the technology but also [...]
For those who are addicted to vulnerability information feeds, you are probably already aware of the XML Libraries data parsing vulnerabilities. This is the kind of vulnerability that creeps me out. When you’ve got vulnerabilities related to an easily identifiable software, like “Windows 2008″, “Firefox 3.5″ or “Java Runtime Environment 6″, it is easy to [...]
I was caught by surprise when I was reading Matthew Rosenquist post on the IT@Intel blog by this information about the OCTAVE methodology: “I have observed the accuracy to be +/- 40% in complex organizations. I believe this is largely due to multiple tiers of qualitative-to-quantitative analysis and the bias introduced at each level. Credible [...]
I was happy to see the last posts from Alan Shimel about the incident on LxLabs and what that means to “cloud security”. Not only because I think he is right about using it as an example of why we should think about cloud security but also because I like his “anti-hype” posture. Ok, that [...]
Trying to be compliant PCI is a tough task. One of the biggest problems is to find good answers to common questions, as the “PCI specialists” are usually very evasive and will hardly give you a definitive answer. So, it’s extremely valuable when someone posts a set of common Q&A about the subject like this [...]
I read this post from Michael Dahn and I really liked what he called “Attack Vector Risk Management”. Today I saw that the guys from Sensepost also noted the post for the same reasons, and even showed some of their work under the same concept, calling it “Corporate Threat Modeling”. During the last months my [...]