All Posts

A thumbnail image

Why CISOs should Care About Cloud “Drift”

Drift metrics can help measure how well-managed an enterprise’s technology assets are. CISOs can mine data contained in mainstream cloud configuration tools to understand conformance or divergence from expected states.

A thumbnail image

New Web Adventures with Heroku

Image copyright 2016 by Kharnagy, licensed under the Creative Commons Attribution-Share Alike 4.0 International license. Many ardent followers of this blog know that among other things, one of my professional hobbies is application development.

Moving to Octopress

Soon, I will be moving the website to a simpler, secure and more usable system—the same platform that powers Markerbench. It should be done in time for Mini-Metricon (March 1st, 2013).

All Andy’s Posts Now on Markerbench

As part of a continuing experiment with static blogging, I have moved all of my historical blog posts from to Everything is now here, including the somewhat notorious essay Escaping the Hamster Wheel of Pain, which introduced a certain rodent-related metaphor to the security trade and served as the introduction to my book, “Security Metrics: Replacing Fear, Uncertainty and Doubt”.

Outsource your web risks with a static website

A few weeks ago I put together my annual Predictions blog post for the coming year. In that post and accompanying webinar, I suggested five emerging risk areas that CISOs need to pay attention to in the coming year.

Making the Wrong Development Choices

I hate to be a curmudgeon about this, but this fellow needs a beat-down: Fixing AJAX: XmlHttpRequest Considered Harmful I offer this as exhibit A (as in AJAX) about why application security may well be intractable, in part because we’ve got mainstream technical outlets teaching techniques to evade well-founded security principles.