3 min
Application Security
All Red Team, All the Time
In last week's blog [/2015/09/17/push-vs-pull-security] (which you should read
now if you have not), I said:
> The core problem with security today isn't about technology. It's about
misaligned incentives. We are trying to push security onto people, teams, and
processes that just don't want it.
To be clear, it's not that people don't care. They say they want security, and I
believe them. Or more precisely, part of their brain wants security. People who
want to break a bad habit
[/2015/07/09/c
10 min
CISOs
Push vs Pull Security
I woke up from a dream this morning. Maybe you can help me figure out what it
means.
Your company hired me to build a security program. They had in mind a number of
typical things. Build a secure software development lifecycle so app developers
didn't code up XSS vulnerabilities. Improve network security with new firewalls,
and rolling out IDS sensors. Set up training so people would be less likely to
get phished. Implement a compliance program like NIST or ISO. And you wanted all
of that rolle
6 min
CISOs
CISOs: Do you have enough locks on your doors?
In a previous blog post
[/2015/07/09/ciso-in-residence-series-shocked-but-not-surprised], I referenced
some research on how people plan for, or rather how they fail to plan for,
natural disasters like floods. At the end of the blog post I mentioned that
people who have poor mental models about disasters fail to prepare fully. I keep
coming back to the idea of mental models because it starts to explain why we
have such a gap between security practitioners and senior executives.
I asked one CISO
3 min
The Absence of Evidence in Breaches
Try this experiment. Go to your favorite search engine and type this:
”no evidence” security compromise
(Other variations are also interesting, including adding words like “breach”)
There is something about the phrase “no evidence” that troubles me. You may have
noticed the same thing. On a regular basis organizations say that there is no
evidence of compromise, and no evidence that attackers gained access to
user/customer/employee data. They write these phrases to lessen the blow of what
is