Security News

Re: The Lost Decade of Security Metrics

Daily Dave - 5 January, 2021 - 16:12

Posted by toby via Dailydave on Jan 05

I don't think you are wrong but your comparison of CVSS and the multiple
(also separately bad) metrics for a WAF isn't effective or accurate.

The values going into CVSS have something in common; they are attempts to
characterize the importance of the vulnerability in question. You are
making (have made before) the claim that the importance of a vulnerability
is too variable and specific to an environment or an attack scenario to be...

Re: The Lost Decade of Security Metrics

Daily Dave - 5 January, 2021 - 12:00

Posted by Chuck McAuley via Dailydave on Jan 05

Throughput* is perhaps the wrong unit of measure. Most of the time you would be interested in measuring
“requests/second” or “transactions/second”. Aside from say a content ingesting site/repeater
(facebook/twitter/instagram), almost all content for a WAF to handle is inbound, using low amounts of available
bandwidth. The outbound content is rarely inspected by such a device, with the exception of 5xx error or similar


The Lost Decade of Security Metrics

Daily Dave - 5 January, 2021 - 09:52

Posted by Dave Aitel via Dailydave on Jan 05

A thousand years ago I subscribed to the Security Metrics mailing list.
Metrics are important - or rather, I think good decision making is
important, and without metrics your decision making is essentially luck.
But we haven't seen any progress on this in a decade, and I wanted to talk
about the meta-reason why: Oversimplification in the hopes of scaling.

There's a theme in security metrics, a deep Wrong, that the community

"Is it done yet? Boom! Typey Typey!"

Daily Dave - 31 December, 2020 - 16:31

Posted by Dave Aitel via Dailydave on Dec 31

Today is my last day at Immunity. I don't know what to say about it that
everyone on this list doesn't already know or that isn't weighed down with
embarrassing secrets. At its best Immunity was a family, but also a machine
for producing absolute monsters, and not just in the technical arenas. Even
when it came to project management, we dropped people in the deep waters of
the Marianas Trench and expected them to build...

Kiroshi Optics

Daily Dave - 11 December, 2020 - 18:32

Posted by Dave Aitel via Dailydave on Dec 11

People seem to think you can use etymology as some clue to deciphering the
cyberpunk and cyber philosophy in general. You can read a whole Thomas Rid
on it, and it's weird when people stress "Cybernetics" as if they've found...

Worth a listen on your morning drive

Daily Dave - 10 December, 2020 - 22:05

Posted by Dave Aitel via Dailydave on Dec 10


Keynote by Milton Mueller, Professor at the Georgia Institute of Technology
(Atlanta, USA) in the School of Public Policy.

I lolled at this section which is so true it hurts:

Since publishing that book I explored the concepts of sovereignty...

How many treadmills can you run on at once?

Daily Dave - 8 December, 2020 - 14:03

Posted by Dave Aitel via Dailydave on Dec 08

I wanted everyone to browse here and enjoy this Microsoft Teams

I also enjoy the discussion
<> it has
engendered when it comes to how to measure vulnerabilities that are "in the
cloud" or via "Auto-update". It would be good to get clarity on these
[image: image.png]

Syndicate content