Perspectives on technology, security, and current events.

about me

I’m Andrew Jaquith, a Wall St Managing Director. I run Goldman Sachs’ Technology Risk Measurement & Analytics team. Previously, I was CTO SilverSky, and former analyst with Forrester and Yankee Group. My interests include security and risk, anything data-related, app development, visualization, good writing and spirited discussion.


applications · big data · books · dev ops · humor · metrics · research · security · vendor-bashing · visualization


All Andy’s Posts Now on Markerbench

- - posted in applications, blog | Comments

As part of a continuing experiment with static blogging, I have moved all of my historical blog posts from to Everything is now here, including the somewhat notorious essay Escaping the Hamster Wheel of Pain, which introduced a certain rodent-related metaphor to the security trade and served as the introduction to my book, “Security Metrics: Replacing Fear, Uncertainty and Doubt”.

For the curious, here’s some background on why I moved everything here:

Paving Over the Proprietary Web: The Java Security Bigger Picture

- - posted in ActiveX, Flash, Java, Oracle, web security | Comments

Perhaps you’ve heard about the recently disclosed Java 7 zero-day exploit. The flaw allows a remote attacker to take complete control of a computer. It has been incorporated into many exploit kits. The Department of Homeland security regards the Java exploit as sufficiently serious to recommend “disabling Java in web browsers until adequate updates are available.” Oracle’s fixes — aren’t.

Many of my colleagues at other security firms have spilled a lot of ink describing why this particular Java exploit is bad. It is indeed that bad; Apple, for example, has forced down an update that blocks the Java 7 plugin from executing in the browser at all, at least until Oracle is able to distribute an update. If you are in the habit of keeping Java switched on in your browser, you should turn it off — of course. But that isn’t always possible. Client-side Java, for example, powers GoToMeeting. Many other companies — including my own — rely on client-side Java for critical functions. So one cannot simply rip it out, or mandate that it be banned. Reality has a habit of messing up the best-intended recommendations. But make no mistake, at some point very soon Java on the client needs to go. CIOs, please take note.

Review of Gene Kim’s Novel, “The Phoenix Project”

- - posted in DevOps, books | Comments

Over the Christmas holidays, I read an advance copy of Gene Kim’s first novel, “The Phoenix Project.” Gene’s co-authors were Kevin Behr and George Spafford. It was a better read than I was expecting. It is about 350 pages. Here’s my review.

The book aims to describe how to bring TQM and “lean” (as in, “manufacturing”) disciplines to IT. Although TQM is especially important in the context of operations, the book shows how “systems thinking” that spans the development and IT operations organizations, and reaches upstream into finance, sales and marketing is critically important for technology-reliant companies. Because all but the most hidebound companies rely on IT to run (and transform) their businesses, the lessons in this book are generalizable to every company.