The discussion about GRC

Good information will always come from discussions between people like Gunnar Peterson, Richard Mogull, Chris Hoff and Alan Shimel. This time's target are GRC tools. It started with Peterson, was commented by Hoff and Mogull, followed by Shimel.There is space for GRC tools on the market, but it is really risky to change a security product roadmap to rebrand it as GRC. Axur ISMS is a very nice tool to oversee and manage a security program, leading to compliance results. However, it will never work without all the processes and tools that lie beneath the strategic layer. How can a tool like that replace, let's say, an antivirus or even a firewall?The way that all those tools are being managed and how they are addressing risks is information and it needs to be properly managed. This is were GRC products can help. If you don't have tools and process to be managed, forget about GRC. Do the basics first.

Debian

Debian: transforming public key in shared key encryption.

Vulnerability Numbers, Q1 2008

Jeff Jones has just published some pretty interesting vulnerability numbers from Q1 2008.Ok, I know that the source is Microsoft, but the numbers and their meanings are very well documented, im my opinion. I'm one of the believers that these numbers show the results of the impressive security initiative from Microsoft. It's also good to see the numbers about vulnerabilities in Apple software, what also shows the results of a security posture (a very crappy one, indeed).Linux numbers are not a surprise to me. The problem this week for Linux is the very very ugly vulnerability on the PRNG system. By reading how it came to appear into the code just shows that the same reason that open source defensors use to argue it is more secure can also make the software less secure. Interesting.

(ISC)2 exams

This week I'm participating on a (ISC)2 Workshop for item writing and review for the ISSAP certification. This opportunity brought to me a very good view on how the exams are created and managed. Honestly, what I have seen until now completely changed the way that I see these certifications. The process is thorough and the questions pass through a review by several very good professionals. I know that passing a test, even one with good questions, is not a proof of professional competency, but it's a good way to assess the basic knowledge of a candidate. Congratulations to (ISC)2!