Today I did an interesting experiment that I thought was worth sharing with others. I tried to come up with a ten item list of password/access management policies based on increasing levels of security. On my list, a “10” effectively means the most secure access management and password polices whereas as “0” effectively means nothing. […]
A couple of years ago I decided, along with support from my management, that Enterprise Risk Management would become a focal point for my Information Security Program. I was convinced that framing vulnerabilities in the form of risks was essential to giving management visibility into issues they currently didn’t know existed and to give our […]
Joel Spolsky is a bit of an internet cause célèbre, the founder of Fog Creek Software and writer of joelonsoftware.com, an influential programming Web site. The book is about technical recruiting and retention, and even though it’s a small format under 200 page book, it covers a lot of different topics. His focus is on […]
This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member. My notes are below: What’s Changed? It’s about Risks, not just vulnerabilities New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology Based on the OWASP Risk Rating Methodology, used to prioritize […]
For my last session of the first day of the TRISC 2009 Conference, I made the mistake of attending Ricky Allen and Randy Holloway’s presentation on “The Importance of Log Management in Today’s Insecure World”. I say “mistake” because out of all of the presentations I attended over the entire three days of the conference […]
Logs are one thing that I think are severely underutilized by most systems administrators. Most of us have taken the first step by actually logging the data, but neglect organizing it into any sort of manageable form. You’ll probably argue that any hardcore *nix admin would be able to take the raw logs using grep, […]
