Column Topics

[jason]

I'm putting together a list of column topics for next year. Keeping in mind that I'm staying roughly in the area of general information security, what would you all be interested in reading about?

[tturner]

Hacking web services and/or mobile apps.

Oh you said general information security... How about - metrics that don't suck?

[jason]

Metrics to measure anything in particular?

[m0wgli]

Trying to keep within the remit of general information security. I'd be interested in reading about how to respond to incidents and what can subsequently be learnt from them, and, how to deal with insider threats.

[jason]

Ok, so far we have:

Metrics
Incident response
Insider threats

What else?

[tturner]

Metrics to measure the effectiveness of security program. For instance I find the number of spams blocked to be a poor metric that's more about big numbers in a chart than any meaningful representation of how the organization is reducing risk or saving money. Good metrics are things like measuring number of incidents detected internally vs by customers, attack vectors, time to respond to incident, time to close out incident, lag time for remediating vulnerabilities, etc.

[jason]

Roger that. On the list.