Stop Weaponizing CVE Counts
I've watched many teams score vendors on raw CVE counts. Not on response times, not on disclosure transparency, not on architectural controls. On the number of CVEs. I've seen it first-hand, in the...
Category
Security
Vigilance, threat models, and incident reflections
Defence in Debt: When Security Spending Doesn't Buy Security
There's a special kind of technical debt that doesn't show up in Jira. It doesn't sit in a backlog. It doesn't have a product owner. It doesn't even admit it exists. It lives in PowerPoint. I call it...
Stop Inspecting Everything: The Case Against Universal TLS Interception
For the past decade, I've watched enterprise security teams deploy TLS inspection appliances with the best of intentions. The pitch is always the same: we need visibility into encrypted traffic to...
They Used a Lost Puppy to Sell You a Surveillance Network
I was watching the American feed of the Super Bowl last night when Ring's latest ad came on. A family loses their dog. They upload a photo. Ring's network of neighbourhood cameras springs into action,...
The Security Mindset Problem
Security requires a particular mindset. Security professionals (at least the good ones) see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use...
New York's 3D Printer Bill Won't Stop Ghost Guns, But It Will Stop You From Fixing Your Blender
New York is considering a budget bill (S.9005/A.10005) that would require all 3D printers sold in the state to include "blocking technology" that scans every print file through a "firearms blueprint...
When Critical Isn't Critical
Last week I was reviewing a vulnerability scan report for a client when something caught my eye. Buried in a list of "critical" findings was a Log4j vulnerability - you know, the one that broke the...
Hey HDSB - Security is EVERYONES problem.
Tonight I received the following email from the Halton District School Board: To summarize the email - Edge Imaging, a vendor tasked with managing school photographs for yearbooks during the 2022-2023 and 2023-2024 academic years, experienced a data breach. This breach occurred within the vendor's