Risk ranking your applications: A method to the madness
You likely have a diverse mix of applications within your organization.
Posted in Software Architecture & Design | Comments Off on Risk ranking your applications: A method to the madness
Sammy Migues
Sammy Migues is a principal scientist at Synopsys. He is an information security visionary with a proven record of entrepreneurial innovation, intellectual capital development, practical business solutions, and performance optimization. Sammy is a respected thought-leader in software security initiatives and related application security programs, asserting, “I still know what I’m talking about. Really.” Sammy spends his free time in pursuit of more knowledge, so you can be assured he does.
Posts by Sammy Migues:
Building meaningful security metrics
Many people in various security disciplines are looking to metrics as a way to demonstrate the efficacy of their efforts and show continuous process improvement.
Unfortunately, poorly constructed metrics usually create more confusion than insight.
If I told you that testing discovered nine critical vulnerabilities last month, what knowledge have I imparted? Does it clarify improvement from last month/last year? Does it imply that you are testing more broadly across your portfolio to eliminate detection gaps? Does it mean you simply changed the definition for “critical”?
Posted in Application Security | Comments Off on Building meaningful security metrics
The risk of too much risk management
IT controls. Corporate governance. Decision support. Right-sized spending (another phrase I thought I coined, but I see it gets three hits in Google). These are all part of the all-too-nebulous activity often referred to as data security risk management.
Posted in Software Security Program | Comments Off on The risk of too much risk management
Building meaningful security metrics
Many people in various security disciplines are looking to metrics as a way to demonstrate the efficacy of their efforts and show continuous process improvement. Unfortunately, poorly constructed metrics usually create more confusion than insight. If I told you that testing discovered nine critical vulnerabilities last month, what knowledge have I imparted? Does it clarify improvement from last month/last year? Does it imply that you are testing more broadly across your portfolio to eliminate detection gaps? Does it mean you simply changed the definition for “critical”?
Posted in Application Security | Comments Off on Building meaningful security metrics
The risk of too much risk management
IT controls. Corporate governance. Decision support. Right-sized spending (another phrase I thought I coined, but I see it gets three hits in Google). These are all part of the all-too-nebulous activity often referred to as data security risk management.
Posted in Software Security Program | Comments Off on The risk of too much risk management
