The New Vulnerability and Risk Management (VRM) Paradigm: Holistic, Dynamic, Adaptive
The ability to perform effective Vulnerability Risk Management (VRM) is an important marker of IT security maturity. Why? Managing the flow of vulnerabilities in complex IT environments is a major challenge. So is recognizing, categorizing, and prioritizing IT security risks.… Continue reading
Cyber-Investigations: A Brute Force Attack on Word Press
They came in the morning. Over 800 emails, John said. Looking like the ones in the picture below. John was concerned but relieved that he’d enabled the WordPress plugin “Limit Login Attempts.” He said his company’s web… Continue reading
Covert OAuth Redirects and Perverse Incentives
Covert redirect is a structural vulnerability in OAuth-based protocols. It was widely publicized in early May. Identity and security experts had long known about, but don’t have an easy fix. Once the media learned covert redirect isn’t as serious… Continue reading
A Good Question: Should we Focus on Threats or Just Vulnerabilities?
My post “Should we Focus on Threat Assessment or Just Vulnerabilities” just went up on RSA’s blog. Hopefully, there, it will reach a wider (or different) audience than we have here and also drive some traffic back to… Continue reading
Cyber-Investigations: The Case of the Command-Injection Attack
As a consulting analyst, I focus on security architecture and strategic planning, not day to day operations. But people know that if you meet a security expert at a dinner party you can probably get him to investigate that strange… Continue reading