Archive for the 'Security metrics' Category

The Future : Regulation is Futile – Market Forces Will Prevail

April 28, 2009

39,000 ft over yet another ocean ……
I just watched an old Bill Joy talk from Ted 2006 via iTunes. Two key paraphrases struck me as prophetic.
“You can’t regulate the problem away”
“What we need is better networks”
In 2005 I did a series of public speaking events using a theme Naked security in which I stripped [...]

NSA Posts Secrets to Writing Secure Code – Write at 38 LOC Per Day

October 21, 2008

The National Security Agency has released a case study showing how to cost-effectively develop code with zero defects. If adopted widely, the practices advocated in the case study could help make commercial software programs more reliable and less vulnerable to attack, the researchers of the project conclude.
The case study is the write-up of an NSA-funded [...]

GRC – Why It’s of LIMITED Interest to Me

June 10, 2008

I wanted to post a “rah rah” message to Rich Mogul when he posted that GRC platforms Are Dead. He was so spot on in my humble opinion that he made me smile for a week or so. I may be a bolshy arrogant git confident but re-assurance from smart people is always comforting. Today [...]

Metrics that Matter

November 9, 2007

Ask a wine maker if climate change is real. This year there will be no organic wine from Burgundy. All wine makers have had to spray to prevent mildew attacking vines. Australia will have one of the worst crops in decades and as a result prices of Australian wines will rise next year. Italy [...]

Count What Counts

November 9, 2007

Working at Microsoft can be hard. You have to force yourself to not get distracted by all the smart things that smart people are doing and saying. Last week I was sent a summary of an internal blog post by BillG talking about the business in general, ROI and metrics. As usual the summary was [...]

A Sneak Peek at Some Cool Software Security Tools

October 25, 2007

My last blog leads me neatly onto to the good stuff. Joining a new company is like a poker game. They need to tell you enough to get you interested but not too much that if you decide not to join you could screw up their plans. I knew ACE had bits of cool stuff [...]

Marc Andreessen on Platforms

September 24, 2007

Marc’s post here is well worth a read.
Level 1 is what I call an “Access API”.
Level 2 is what I call a “Plug-In API”.
Level 3 is what I call a “Runtime Environment”.
The Oxygen Security Platform is actually likely to be a combination of all three!

Security Data Visualization Book

September 18, 2007

Just picked up from O’Reilly, a new book called Security Data Visualization. It looks to be very network security centric but I will check it out and post a review here.

This Metric Shows Behavioral Change

September 11, 2007

A week ago I posted that Metrics Should Change Behavior and used what I think is a clever play on statistics to demonstrate the art of positioning. You can see the video used here.  Thinking about it a little more it seems to me that a good metric should possess two qualities. The first [...]

Metrics Should Change Behaviour

September 4, 2007

A British University studied 1,050 rock stars and concluded:
European artists are twice as likely to die early than the rest of the population.
US rocks stars died with an average age of forty two while European rock stars died with an average age of thirty five.
One in ten children in the UK aspire to be a rock [...]