Catastrophic Maxim: Most organizations mistakenly think about and prepare for rare, catastrophic attacks (if they do so at all) in the same way as for minor security incidents. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Rigormortis Maxim: The greater the amount of rigor claimed or implied for a given security analysis, vulnerability assessment, risk management exercise, or security design, the less careful, clever, critical, imaginative, and realistic thought has gone into it. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
"In the past, Chef has used Serverspec, a Ruby-based engine for running tests to check server configuration. However, a German startup called VulcanoSec, acquired by Chef earlier this year, had been working on a richer compliance framework. Chef Compliance is based on this technology." = via Tim Anderson, writing at El Reg...
Success Maxim: Most security programs “succeed” (in the sense of their being no apparent major security incidents) not on their merits but for one of these reasons: (1) the attack was surreptitious and has not yet been detected, (2) the attack was covered up by insiders afraid of retaliation and is not yet widely known, (3) the bad guys are currently inept but that will change, or (4) there are currently no bad guys interested in exploiting the vulnerabilities, either because other targets are more tempting or because bad guys are actually fairly rare. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Better to be Lucky than Good Maxim: Most of the time when security appears to be working, it’s because no adversary is currently prepared to attack. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory