build - measure - learn


Measuring security isn't easy. There's a lot of building going on but we need to close a build-measure-learn loop in order to make sustainable progress.

How can we credibly argue for security investments, unless we quantify the current and desired future state? Metrics should be collectable, robust and meaningful. What do you wish to communicate? Base your narrative on facts that are relevant for stakeholders.

Without trying, it won't happen. Find a couple of simple metrics and start measuring now.


the strongest link


People are sometimes regarded the "weakest link". This is a mistake.

It is factually wrong. All that great technology which is supposed to save us has been created by... people.

Also, such labelling is counterproductive. Yes, people make all sorts of mistakes. But security is a holistic quality. Only motivated, knowledgeable individuals can orchestrate security mechanisms into a meaningful whole. So, build a pervasive quality culture, let your co-workers know they are the strongest link and watch them grow.


on clouds and testing

Good q on Twitter.

Assuming a public cloud with a mega provider, our focus evolves from learning how to build better to verifying functionality. The purpose morphs from educating our own devs to supporting trust in an external service offering "as is".

We will want assurance on how stuff works in "somebody else's computer" and we will need to focus on interfaces. In an ideal world, with perfect trust in the cloud provider, we might well end up with a smaller test budget. How do we spend it wisely?

My 2c.