There seems to be a lot of questions going around lately about how to best give out simple security advice that is actionable. Goodness knows I’ve talked about this more than I can even remember at this point. The security industry is really bad at giving out actionable advice. It’s common someone will ask what’sContinue reading “Targeted vs General purpose security”
There are not millions of unfixed security flaws missing from the CVE data.
We love to do security reviews on the projects, products, and services our companies use. Security reviews are one of those ways we can show how important security is. If those reviews didn’t get done we might end up using a service that could put our users and data at risk. Every good horror storyContinue reading “Security reviews and microservices”
The best part about getting to give a security talk at OSCON is I’m not talking to a security audience, I get to talk to developers about security. Developers, the ones who do the actual work, sometimes in spite of their security teams causing friction and slowing things down.
A lot of what we call security is voodoo. Most of it actually. What I mean with that statement is our security process is often based on ideas that don’t really work. As an industry we have built up a lot of ideas and processes that aren’t actually grounded in facts and science. We don’tContinue reading “The father of modern security: B. F. Skinner”
As of late I’ve been seeing a lot of grumbling that security return on investment (ROI) is impossible. This is of course nonsense. Understanding your ROI is one of the most important things you can do as a business leader. You have to understand if what you’re doing makes sense. By the very nature ofContinue reading “Security ROI isn’t impossible, we suck at measuring”
After my last post about security spending, I was thinking about how most security teams integrate into the overall business (hint: they don’t). As part of this thought experiment I decided to compare traditional security to something that in modern times has come to be called helicopter parenting. A helicopter parent is someone who won’tContinue reading “Helicopter security”
I was watching a few Twitter conversations about purchasing security last week and had yet another conversation about security ROI. This has me thinking about what we spend money on. In many industries we can spend our way out of problems, not all problems, but a lot of problems. With security if I gave youContinue reading “Spend until you’re secure”
This week I’ve been thinking about how security people and non security people interact. Various conversations I have often end up with someone suggesting everyone needs some sort of security responsibility. My suspicion is this will never work. First some background to think about. In any organization there are certain responsibilities everyone has. Without usingContinue reading “But that’s not my job!”
Earlier today I ran across this post on Reddit Security but not Privacy (Am I doing this right?) The poster basically said “I care about security but not privacy”. It got me thinking about security and privacy. There’s not really a difference between the two. They are two faces of the same coin but whyContinue reading “Security and privacy are the same thing”