Speaker: Jared Pfost (@JaredPfost) Framing: IT Security Metrics in an Enterprise If metrics are valuable, why aren’t we measuring them. Virtually no research on them. The Chase Measuring metric program maturity would be easy, but not valuable Metric programs aren’t a priority for enough CISOs for a benchmark to matter Additional proof needed:… Continue reading
Post Category → Information Security
Metricon: Software Security’s Futures Plural
UPDATE – 2011-02-26: Alphonso has posted his slides and BeeWise is open! Speaker: Alfonso De Gregorio How do we build a future in software security? /me: the slides that will be posted have a ton of detail that Alfonso sped through. you’ll get a very good feel from them Metrics are the servants of… Continue reading
Metricon: Name Server Log Data
Speakers: Fruhwirth, Proschinger, Lendl, Savola “On the use of name server log data as input for security measurements” CERT.at ERT coordinate sec efforts & inc resp for IT sec prblms on a national level in Austria constituted of IT company security teams and local CERTs Why name server data? CERT.at is mandated to… Continue reading
Metricon: Automated Incident Reporting
Speaker: Juhaniu Eronen “The Autoreporter Project” – Background Goal: make finland mostly harmless to the rest of the internet (that’s actually in the law – Protection of Privacy in Electronic Comms/Finland) /me: I’ll need to put some verbiage around this tonight to give you a good picture of what Juhaniu was conveying…really good description… Continue reading
Metricon: Critical Consumption Of Infosec Statistics
Speaker: Chris Eng / Veracode Every major infosec company publishes quarterly/yearly summary reports. Some based on survey, some based on real captured data. Recognizing the Narrative Every fancy looking infosec metrics report is a marketing vehicle; each has different perspectives; no consistency, but you can figure out the framing by looking at the exec summary… Continue reading
Metricon: Evidence Based Risk Management
Better management through better measurementSpeakers: Wade Baker and Alex Hutton and Chris Porter State of the industry: are we a science or pseudoscience? random fact gathering morass of interesting, trivial, irrelevant obs variety of theories that provide little guidance to data gathering Sources of knowledge under “risk” aggregate: asset landscape impact landscape threat landscape… Continue reading
“Web Development Is Dangerous”
Those were the words that greeted me within five minutes of checking out the Flask microframework for Python web applications. I feel compelled to inline those four, short paragraphs: I’m not joking. Well, maybe a little. If you write a web application, you are probably allowing users to register and leave their data on your… Continue reading
Quick Hits :: 2011-02-09
Security VSR uses some high-ish profile attacks from 2010 to provide fodder for the VAR community :: Security Risk: Top Hacker Attacks of 2010. I include it as the examples they provide should make it easier for folks doing presentations where they need to show real-life attacks (without sifting through the individual entries at the… Continue reading