Posts have been slow due to an insane travel/speaking schedule - see below if you’re interested. One of these days I’ll get back to my desk to focus more on R&D type stuff. Arian, Bill, and the operations team get to have all the fun. Fortunately I have been able to squeeze in some time to work on one particular project I’m really excited about. I’ll be able to talk more about it once I get it working properly.
In the meantime I still read a tremendous amount and a pair of excellent posts stood out from the rest. The posts discussed essentially the same issue, security metrics, but from different angles. For many security metrics is an incredibly boring topic, for others its contentious subject and a way of life. The rest of us fall somewhere in the middle.
1) Chris Hoff interviewed Andy Jaquith (Analyst, Yankee Group) who shared some fascinating insights about warehouse operations and how it contrasts to security operations metrics. It sounds odd I know, but he's got some really interesting stories to tell.
2) RSnake then talks about how new security safeguards mitigate risk temporarily because they incentivize attackers to target someone else because it’s easier. This effect remains in place only until the solution becomes standard across the market in which time the risk mitigation value of the solution decreases because everyone then becomes the same.
9/10 ISACA Network Security (Las Vegas, NV)
9/12 InfoSecurity (New York, NY)
9/17 IT Security World (San Francisco, CA)
9/20 OWASP Chapter (Boulder, Co.)
9/24 OWASP Conference (Taiwan)
10/2 WhiteHat Chicago regional event
10/9, WhiteHat Atlanta regional event
10/10 OWASP Chapter (Houston, TX)
10/11 OWASP Chapter (San Antonio, TX)
10/16 ISSA Symposium (Long Beach, CA)
10/18 ISSA (Portland, OR)