On Jul 27, 2010, at 10:58 PM, d...@geer.org wrote: > >> >> Wow, I was just going to recommend Dan's book, "Security Metrics." >> > > It is actually Andy Jaquith's book, I only wrote the intro.
Ouch, I'm sorry for the mistake! (I knew I remembered your name in connection with the book, but it's on my bookshelf in the office and I was at home.) > In the meantime, though, couple of years ago I did a tutorial > on security metrics which you may find useful > > http://geer.tinho.net/measuringsecurity.tutorial.pdf Thanks, my favorite so far is page 45 with the table on Risk Management Culture. I need to tape that to the wall for inspiration. Pathologic: Don't want to know Bureaucratic: May not find out Generative: Actively seek Pathologic: Failures punished Bureaucratic: Local repairs only Generative: Failures beget reforms From my point of view: The security community is being Generative (Actively seek) about finding the flaws in systems, but it's too often in the Pathologic (Failures punished) stage about how to handle those flaws once they're discovered. My suspicion: It's fun to Actively seek, and hard to find solutions, and it can be downright frustrating to champion reforms. If the vulnerability isn't gigantic, it's hard to even get people to listen. Reform is maybe 20x harder and 1/5th as fun as poking the holes. That said, here's an experience worth talking about: Dan Kaminsky did a pretty good job of being Generative in _both_ categories. He found a hole in DNS, and then worked with LOTS of vendors and even with people not directly tied to DNS to collaborate on reforms. He even called me (at a smaller CA) to make sure we were aware of the risks and to verify that we don't only rely on automated forms of verification. I really appreciated the call--it felt like my chance to talk to a rock star. All the best, Paul Tiemann (DigiCert) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
