Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Category Archives: Auditing

BSIMM – Top Ten Surprises

– In a prior column, I described the results of a survey conducted by Gary McGraw, Sammy Migues and Brian Chess published in the BSIMM (Build Security In Maturity Model) report available at http://bsi-mm.com/   Most of the results are intuitively obvious … after the fact, that is. But some…

Security and Audit – BFFLs? Maybe not, but…

– …we may have lots of reasons to work together more closely. Maybe it is just the luck of the draw that at almost every employer for the last 15 years, I have been the one to manage our audit relationships, but I am certainly suspicious my good fortune is other than divinely inspired. …

Slashdot Post On Security Ethics Demonstrates Professional Naiveness

– Over at Slashdot, an anonymous reader was quoted as follows (in entirety): “I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I…

The Misleading Nature of Schneier’s Security Mindset

– Recently Bruce Schneier wrote an essay on the Security Mindset. In it he wrote: Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They…

Reflections on Passwords: Cracking and Log Analysis

– This post on Emergent Chaos caused me to reminisce a bit. Back in the day, one of my responsibilities was password auditing (cracking). Unlike many other password auditors, I was internal to the company, not an external auditor. I knew the people who’s passwords I was cracking. In addition,…