Greetings everybody! I am pleased to announce that my book, Security Metrics: Replacing Fear, Uncertainty and Doubt has shipped from the printers and is on its way to better bookstores near you.
Perspective
Posts ∙ 63 posts
Posts
ZDNet’s Ryan Naraine blogs about Joanna Rutkowska’s blog post on Vista security. Joanna pointed out that Vista’s Mandatory Integrity Control feature has a few implementation flaws and seems to default to prompting for admin credentials whenever setup apps run. EWeek’s Joe Wilcox asked me to comment on the imbroglio which I was happy to do. I also posted a lengthy comment on Joe’s story, which for posterity I reprint here.
My publisher, Addison-Wesley, has recently updated the information on my book, Security Metrics: Replacing Fear, Uncertainty and Doubt on Amazon. Although I am particularly fond of the inside contents, I am also very pleased with the way the cover came out.
My buddy Gunnar Peterson has recently been raging about the inadequacies of REST security, pointing out that RESTful folks who equate transport-level confidentiality (such as SSL provides) with “security” are only partly right.
Today I stumbled upon Fortify’s Java Open Review Project, whose goal is to count security defects in popular Java projects.
I’d like to tip my cap to Brian Chess and the folks at Fortify for this.
As usual, the purposefully provocative, belligerently blogging Mike Rothman has gone and done it again — aimed his treacly firehose at security metrics. Most recently, he’s waded into the post-fest on the subject, of which Amrit Williams, Rich Mogull, Pete Lindstrom and Alex Hutton have been willing participants.
Now, I recognize that Mike’s stock-in-trade is hyperbole. He generally tells you exactly what he thinks, albeit with some slight exaggeration to get people’s blood pumped up and their tongues wagging in reply. He wants spirited debate, and if it takes a little baiting to get it, he’ll do it.
Alrighty then. I’ll take that bait. Mike’s been kind enough to reference my ongoing security metrics work over the last few months, and has been egging me on (privately) to convince him exactly what it is about security metrics that I find so compelling. Why, in essence, would I spend time researching a topic that has (for him) so little obvious value?