All Stories

More Praise for “Security Metrics”

The bloggiste at Layer 8 just declared Security Metrics to be “That Good”. I have no idea who shrdlu actually is. But whomever she is, she deserves a hearty thank-you and an offer of ...

In security, metrics, books, Apr 15, 2007

Alex Hutton Likes “Security Metrics”

Alex Hutton was one of the editorial reviewers for several chapters of Security Metrics, and offered some excellent feedback during the writing stages. Now that the book has shipped, ...

In security, metrics, books, Apr 03, 2007

Introducing Security Metrics, the Cartoon

Mark Curphey’s cynical vehicle for ripping the security industry gains another blunt instrument: the Hamster Wheel of Pain, featured in Chapter One in Security Metrics: Replacing Fear...

In security, metrics, humor, Apr 01, 2007

Security Metrics Has Shipped

Greetings everybody! I am pleased to announce that my book, Security Metrics: Replacing Fear, Uncertainty and Doubt has shipped from the printers and is on its way to better bookstore...

In security, metrics, books, Mar 30, 2007

Ryan, Joe, Joanna, and the “Serious Hole” in Vista’s UAC

ZDNet’s Ryan Naraine blogs about Joanna Rutkowska’s blog post on Vista security. Joanna pointed out that Vista’s Mandatory Integrity Control feature has a few implementation flaws and...

In security, Windows, Mac, Feb 14, 2007

And So It Begins, With Small Saturated Spots

My publisher, Addison-Wesley, has recently updated the information on my book, Security Metrics: Replacing Fear, Uncertainty and Doubt on Amazon. Although I am particularly fond of th...

In security, metrics, books, visualization, Jan 10, 2007

SSL is a Concrete Sewer Pipe

My buddy Gunnar Peterson has recently been raging about the inadequacies of REST security, pointing out that RESTful folks who equate transport-level confidentiality (such as SSL prov...

In security, Jan 03, 2007

Coding in Anger

Last week’s shutoff of this website’s self-registration system was something I did with deep misgivings. I’ve always been a fan of keeping the Web as open as possible. I cannot stand ...

In security, web security, identity, Jan 01, 2007

Fortify’s Java Open Review Project: a Nascent Security Benchmarking Effort?

Today I stumbled upon Fortify’s Java Open Review Project, whose goal is to count security defects in popular Java projects.I’d like to tip my cap to Brian Chess and the folks at Forti...

In security, metrics, Dec 14, 2006

Metrics, Rothman and Gaming the System

As usual, the purposefully provocative, belligerently blogging Mike Rothman has gone and done it again — aimed his treacly firehose at security metrics, Most recently, he’s waded into...

In security, metrics, Nov 18, 2006