Acquisitions and Supply Chains: The Achilles’ heel of Product/Organizational Security

(A reminder to folks expecting “R”/”data science” content: the feed for that is at if you don’t want to see the occasional non-R/datasci posts.) Over at the $WORK blog we posted some research into the fairly horrible Cisco RV320/RV325 router vulnerability. The work blog is the work blog and this blog is my blog… Continue reading

GDPR Unintended Consequences Part 1 — Increasing WordPress Blog Exposure

I pen this mini-tome on “GDPR Enforcement Day”. The spirit of GDPR is great, but it’s just going to be another Potempkin Village in most organizations much like PCI or SOX. For now, the only thing GDPR has done is made GDPR consulting companies rich, increased the use of javascript on web sites so they… Continue reading

Enabling Concerned Visitors & Ethical Security Researchers with security.txt Web Security Policies (plus analyze them at-scale with R)

I’ve blogged a bit about robots.txt — the rules file that documents a sites “robots exclusion” standard that instructs web crawlers what they can and cannot do (and how frequently they should do things when they are allowed to). This is a well-known and well-defined standard, but it’s not mandatory and often ignored by crawlers… Continue reading

Armchair Quarterbacking Systemic Organization and Industry Failures

insert(post, “{ ‘standard_disclaimer’ : ‘My opinion, not my employer\’s’ }”) This is a post about the fictional company FredCo. If the context or details presented by the post seem familiar, it’s purely coincidental. This is, again, a fictional story. Let’s say FredCo had a pretty big breach that (fictionally) garnered media, Twitterverse, tech-world and Government-level… Continue reading