Toby Rule #1 Violations Archives

One of the first questions to ask a client when starting a risk journey with them is to ask what their Risk Appetite is. Sometimes this is an organisational question and sometimes it is a system based one. But always it is a problem.

These appetites are usually six or so discrete statements which fit onto an intuitive scale. Yeah, right.

Recently a client showed me their risk appetite statements and the thing that immediately stood out was that they had one of the appetites at ‘minimal’ and yet it was not the lowest possible setting. I must admit, I wasn’t expecting to hit a Rule 1 violation with a single word statement, and so the pointlessness of the scale gave us comedy gold.

So, the Risk Appetite Generator was born. As with many of my generators, you can add ?help to find out what settings you can muck about with.

Before you ask, the risk appetites of that client are in the generator.

Chuckles Today. SIEM provider Huntsman are still shipping software agents with the two year old log4j vulnerabilities, meaning that your overall inherent risk position is *worse* with their solution that not bothering at all. Huntsman response when you ask them why they are shipping critically vulnerable softweare is to say that it’s not exploitable. Oh, that’s okay then, as long as vendors make ‘not vulnerable’ claims, then the whole world is safe again. Customers should ask them if they will indemnify losses incurred if they do get exploited and then see how long it takes Hunstmans to ship code without 2 year old CRITICAL vulnerabilities 😉

Rule #1: Huntsman Defence Grade Security Information and Event Management: Not defence grade, not secure, doesn’t raise events about it’s own issues, doesn’t provide information about it’s own issues. Not much left in that product name after fixing the violations: “Huntsman mm m mm m m mm m ‘.