When I first released SimpleRisk as a free tool back in March of 2013, I decided to license it under the open source Mozilla Public License 2.0.  There were a number of reasons why I did this.  The primary reason was that I wanted to give potential users confidence in knowing that they could use that open source code without having to worry about us coming back at them with licensing demands.  Each company who downloads our SimpleRisk Core is free to not only use the product, but may also build onto it for their own use.  While we continue to develop and license new plug-and-play "Ext

On March 29, 2019, Alex Polimeni and I presented at the BSides Austin conference on some of the work we've done for National Instruments with respect to using the NIST Cybersecurity Framework (CSF) as the foundation for an assessment of the organization's cybersecurity maturity.  For those who aren't familiar with the NIST CSF, it splits cybersecurity best practice activities up into five functions: Identify, Protect, Detect, Respond, and Recover.  Then, each of those functions are split into several categories.  For example, the Identify function is split into the categories of Asset Manag

Has the number of security issues you deal with on a routine basis ever made you feel a bit like Atlas carrying the world on your shoulders?  I can’t tell you the number of conversations I’ve had with discontented security practitioners who lament to me the woes of trying to speak with management about the latest Heartbleed or Spectre/Meltdown vulnerabilities and “management just doesn’t understand”.  Even worse, when management inevitably turns a blind eye to the issue, the security practitioner worries that they’ll be searching for a new job if the vulnerability is ever exploited.  As the