Methodist Maxim: While vulnerabilities determine the methods of attack, most vulnerability or risk assessments will act as if the reverse were true. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
I am Spartacus Maxim: Most vulnerability or risk assessments will let the good guys (and the existing security infrastructure, hardware, and strategies) define the problem, in contrast to real-world security applications where the bad guys get to. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Catastrophic Maxim: Most organizations mistakenly think about and prepare for rare, catastrophic attacks (if they do so at all) in the same way as for minor security incidents. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Rigormortis Maxim: The greater the amount of rigor claimed or implied for a given security analysis, vulnerability assessment, risk management exercise, or security design, the less careful, clever, critical, imaginative, and realistic thought has gone into it. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
"In the past, Chef has used Serverspec, a Ruby-based engine for running tests to check server configuration. However, a German startup called VulcanoSec, acquired by Chef earlier this year, had been working on a richer compliance framework. Chef Compliance is based on this technology." = via Tim Anderson, writing at El Reg...