It’s at the end of September, check it out.  Even if you’re not in the vulnerability/patch rat race on a daily basis, it would “behoove” you to go check out what’s new.  If you’ve been paying attention to OMB Memo 10-15, you’ll notice that Cyberscope takes some SCAP input.

• Save a Kitten, Write SCAP Content
• Ed Bellis’s Little SCAP Project
• Security Automation Developers Conference Slides
• Federated Vulnerability Management
• NIST and SCAP; Busting a cap on intruders Part 1

Build security in or bolt it on afterwords? Our IKANHAZFIZMA LOLCATS have an opinion on this today.

• Lolcats and QR Codes
• Lolcats Protect the End Users
• Redundant Lolcats
• Lolcats Coming to you from the Cloud
• Lolcats, Capital Hill, and a Haiku

Reference: Thought-Terminating Cliches.  They’re such a ugly things and all over the security industry and need to die, mostly because these things are so obvious that they need to die so we can introduce new ideas.

Just starting a collection, feel free to add more:

• Compliant doesn’t mean secure.
• You can always go above the minimum baseline.
• You don’t know what you don’t know.
• Security is a journey, not a destination.
• We all know that $Foo is dying/dead/failing/stillborn.
• There is no silver bullet.
• It’s security, it’s supposed to be hard.

• On Government Employees, Culture, and Survivability
• The Press has Me all Confused
• Let’s Face it, Half the Security Industry is a Pyramid Scheme
• Inside the Obama Administration’s Cyber Security Agenda
• Beware the Cyber-Katrina!

For some reason, “Rebuilding C&A” has been a perennial traffic magnet for me for a year or so now.  Seeing how that particular post was written in 2007, I find this an interesting stat.  Maybe I hit all the SEO terms right.  Or maybe the zeitgeist of the Information Assurance community is how to do it right.  Anyway, if you’re in Government and information security, it might be worthwhile to check out this old nugget of wisdom from yesteryear.

• Some Comments on SP 800-39
• GAO’s 5 Steps to “Fix” FISMA
• Old Saint NIST: Ho Ho Hold on, what’s this?
• “Machines Don’t Cause Risk, People Do!”
• Clouds, FISMA, and the Lawyers

Metricon 5 was this week, it was a blast you should have been there.

One of the things the program committee worked on was more of a practitioner focus.  I think the whole event was a good mix between theory and application and the overall blend was really, really good. Talking to the speakers before the event was much awesome as I could give them feedback on their talk proposal and then see how that conversation led to an awe-inspiring presentation.

I brought a couple security manager folks I know along with me and their opinion was that the event was way awesome. If you’re one of my blog readers and didn’t hunt me down and say hi, then whatcha waitin’ for, drop me an email and we’ll chat.

You can go check out the slides and papers at the Security Metrics site.

My slides are below.  I’m not sure if I was maybe a bit too far “out there” (I do that from time to time) but what I’m really looking for is a scorecard so that we can consciously build regulation and compliance frameworks instead of the way we’ve been doing it. This would help tremendously with public policy, industry self-regulation, and anybody who is trying to build their own framework.

• Massively Scaled Security Solutions for Massively Scaled IT
• Why We Need PCI-DSS to Survive
• DojoCon 2009 Presentation
• Building A Modern Security Policy For Social Media and Government
• Professor Rybolov’s Guide to InfoSec and Public Policy Analysis

A common theme for me this year:  as a security manager, how do you use metrics to tell your boss that you’re doing a good job and yet at the same time you’re doing a bad job and need more money, time, and resources?

• SCAP in Lulz
• Oh to be a Program Manager
• Preliminary Findings on Cybersecurity Review Now Out
• Cyber-Ninja Lolcats Caught on Film
• IKANHAZFIZMA Finds Caution Tape