there is no spoon, there is no absolute answer

A couple points I want to throw out for a Monday:

1. Security takes knowledge.
2. Security takes time.
3. Insecurity arises when shortcuts are taken. (Yes, you fall into this area, web developers!)
4. It is no surprise security permissions (in general) are lax, because they suck to manage.
5. We all started in a place where we didn’t have expert knowledge.
6. Don’t overinflate your abilities. This is where ‘paper CISSPs’ harm our field, not because they aren’t experts yet, but because they profess to know more than they do.

In recent weeks, Snosoft’s (Adriel Desautels) blog has delved into the topic of fraudulent security experts and how corporations can tell if they have a quality security expert (or vendor). I applaud the effort, even if he is preaching to the choir and may be tackling issues that are universal and have no absolute “oh-my-god-epiphany-that-will-change-the-world” answers. Those posts and a headache-inducing security permissions issue I tackled today prompted this post.

I had a longer essay presenting those 5 topics above, but I think I’ll just let them sit alone. Anyone reading my blog can either outright agree, or think for themselves on how those points apply. Just one hint: “knowledge” can refer to both technical as well as business knowledge.