I like your take. Maybe the SAMM team could provide formal commentary to
NIST in this regard. I suspect that in not providing feedback, it will
be published and those who read it at a later date will get confused as
to the value proposition of each aka more disturbances in the force...
___
hi steve,
It's BSIMM Begin and we are delinquent looking into the data. Hope to do that
soon. We have 75 partial vectors in the set (including some "control" vectors
from full BSIMM participants).
Anyone who wants to help us "top off" the data...(I was hoping to gather 100
vectors)...click h
Hi Arian,
Some more particulars regarding your posting. Sorry for the delay...
On 2/2/10 4:32 PM, "Arian J. Evans" wrote:
>Strategic folks (VP, CxO) ...Initially ...ask for descriptive information, but
>once they get
>going they need strategic prescriptions.
Please see my response to Kevin.
Hi Steve (and sc-l),
I'll invoke my skiing with Eli excuse again on this thread as well...
On Tue, 2 Feb 2010, Wall, Kevin wrote:
> To study something scientifically goes _beyond_ simply gathering
> observable and measurable evidence. Not only does data needs to be
> collected, but it also needs
Hi again Mike,
Yadda yadda, delay, and so on...
On 2/2/10 9:30 PM, "Mike Boberski" wrote:
But the vast majority of clients I work with don't have
the time or need or ability to >take advantage of BSIMM
>>Mike's Top 5 Web Application Security Countermeasures:
>>1. Add a security guy or gal wh
hi mike,
On 2/2/10 9:28 PM, "Mike Boberski" wrote:
>Fun article. To try to be equally pithy in my response: the article reads to
>me like a high-tech, application security-specific >form of McCarthyism.
As a die hard liberal, I take offense to the McCarthy comment (hah). Anyway
some interleav
hi kevin (and sc-l),
Sorry for the delay responding to this. I was skiing yesterday with my son Eli
and just flew across the country for the SANS summit this morning (leaving
behind 6 inches of new snow in VA). Anyway, better late than never.
I'll interleave responses below.
On Thu, 28 Jan 2
800-37 has been in release for a while, providing the basis for the C&A
process. My understanding is that C&A is evolving (and going the way of
the dinosaur) very soon as NIST works with CNSS/JTF on the next big
thing. I'm blanking on the rest of the details (not my space), but
pinging Mike Smith (
On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote:
> Among other things, David and I discussed the difference between descriptive
> models like BSIMM and prescriptive models which purport to tell you what you
> should do.
Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome
NIST has created a draft document entitled: Guide for applying risk
management framework to federal information systems: a security
lifecycle approach. Curious to know if anyone has identified gaps,
differences in opinion, etc between NIST and how either SAMM or BSIMM
would define the same?
***
OK, being the insurance enterprisey security guy I think you may be onto
something. One of the many reasons why actuarial science can work in
insurance is the fact that there is a lot more public data than in IT
security. If you smash your car into a wall, your chosen carrier doesn't
just pay the c
I challenge the validity of any risk assessment/rating approach in use
today in infosec circles, whether it be OWASP or FAIR or IAM/ISAM or
whatever. They are all fundamentally flawed in that they are based on
qualitative values the introduce subjectivity, and they lack the
historical data seen in
While Wall Street's definition of risk collapsed, the insurance model of
risk stood the test of time :-)
Should we explore your question of "how are risk levels defined in
business terms" more deeply or can we simply say that if you don't have
your own industry-specific regulatory way of quantifyi
> But the vast majority of clients I work with don't have the time or need
or ability to take advantage of BSIMM
Mike's Top 5 Web Application Security Countermeasures:
1. Add a security guy or gal who has a software development background to
your application's software development team.
2. Turn
Fun article. To try to be equally pithy in my response: the article reads to
me like a high-tech, application security-specific form of McCarthyism.
To explain...
The amount of reinvention and discussion about the problems in this space is
spectacular.
If one has something to start from which on
While I can't disagree with this based on modern reality, I'm
increasingly hesitant to allow the conversation to bring in risk, since
it's almost complete garbage these days. Nobody really understands it,
nobody really does it very well (especially if we redact out financial
services and insurance
16 matches
Mail list logo
