the State of Security

Change Control

My RSA Talk and Adam Shostack’s Awesome RSA Research Track

by ~Previous Contributers

I am in San Francisco this week at the RSA Conference (which is apparenlty #rsac on Twitter). I will be speaking this afternoon at 3pm PT. The famous Adam Shostack (@adamshostack) is one of the track chairs, and his advice to me was, “give your metrics talk, under the guise of virtualization security.” Well, I’m [...]

Read More

Ask Dr. Visible Ops: How Should I Engage Internal Audit In The Change Management Process?

by ~Previous Contributers

Hal Pomeranz and I did a webinar called “Ditching the Infosec Stereotype: Part 1: Fixing Broken Change Control Processes” a couple of weeks ago. As I mentioned in a previous blog entry, I’m a big fan of Hal. I loved the work he’s done at places that had truly mission-critical environments, including at eBay, Cendant [...]

Read More

When Life In IT Operations And QA Sucks (Part I)

by ~Previous Contributers

Have you ever had this happen to you? Project Killer Kumquat is finally going to deliver the set of features that’s going to allow us to catch up to the competition. We’ve had over 300 developers have been working on this project for nine months. It’s been a death march for them. This is one [...]

Read More

Answer: When Is It Acceptable To Patch QA Environment Ahead Of The Production Environment?

by ~Previous Contributers

In the previous post, I talked about a Twitter contest I was running to answer the following question, with a Visible Ops book as a prize going to the best answer: “When is it acceptable to patch the QA environment ahead of the production environment?” If you believe that the goal of QA is to [...]

Read More

Question: When Is It Acceptable To Patch QA Environment Ahead Of The Production Environment?

by ~Previous Contributers

A buddy of mine is head of information security at a large insurance company, and we were talking about a common area of passion for us: implementing controls in pre-production. He told me about an argument that came up between him and his QA manager. This QA manager was already getting harassed by the rest [...]

Read More

Trust Is Not A Control (And Neither Is Luck): Critiquing The Fannie Mae Critiques

by ~Previous Contributers

One of the best things I’ve read lately was “Change Controls: Ur Doin It Rong” article by Hal Pomeranz. Hal Pomeranz wrote this after he read the FBI affidavit describing how Rajendrasinh Makwana, a former consultant at Fannie Mae, allegedly planted malicious code on Fannie Mae’s servers after he had been terminated. What made this [...]

Read More

← Previous Entries