Misguided misguidings over the EU bug bounty

The EU recently announced they are going to sponsor a security bug bounty program for 14 open source projects in 2019. There has been quite a bit of buzz about this program in all the usual places. The opinions are all over the place. Some people wonder why those 14, some wonder why not more.Continue reading “Misguided misguidings over the EU bug bounty”

Targeted vs General purpose security

There seems to be a lot of questions going around lately about how to best give out simple security advice that is actionable. Goodness knows I’ve talked about this more than I can even remember at this point. The security industry is really bad at giving out actionable advice. It’s common someone will ask what’sContinue reading “Targeted vs General purpose security”

The father of modern security: B. F. Skinner

A lot of what we call security is voodoo. Most of it actually. What I mean with that statement is our security process is often based on ideas that don’t really work. As an industry we have built up a lot of ideas and processes that aren’t actually grounded in facts and science. We don’tContinue reading “The father of modern security: B. F. Skinner”

Security ROI isn’t impossible, we suck at measuring

As of late I’ve been seeing a lot of grumbling that security return on investment (ROI) is impossible. This is of course nonsense. Understanding your ROI is one of the most important things you can do as a business leader. You have to understand if what you’re doing makes sense. By the very nature ofContinue reading “Security ROI isn’t impossible, we suck at measuring”

Helicopter security

After my last post about security spending, I was thinking about how most security teams integrate into the overall business (hint: they don’t). As part of this thought experiment I decided to compare traditional security to something that in modern times has come to be called helicopter parenting. A helicopter parent is someone who won’tContinue reading “Helicopter security”