interesting read on evolving security

Also via Chuvakin, I skimmed an article by Josh Corman on evolving security. Perusing the comments, I see good points about the vagueness on what we’re supposed to be evolving into.

This reminds me of a few years back when someone threw down a great essay on why security sucks, with the promise of a follow-up so they didn’t sound like someone just complaining. That follow-up never truly came. (Fine, it came, but it just opined about other people’s responses; hardly a half-assed fulfillment.) (I’m having a problem finding it or remembering enough specifics to search for it, but I will find it!) Update: It was Noam Eppel’s essay on the total failure of information security [now defunct] which I posted about years back

It’s one thing I’ve slowly learned (and am still learning) through my business/work experience is that you don’t often want to just rage without a plan of action. Not unless you’re aware that you’re just venting, in which case it’s ok. Otherwise the first question from anyone who helps determine your future is, “What do you suggest?” That pivotal, important question…like a knight challenging your queen on your side of the board…that if you don’t have an answer for, is the beginning of your endgame.

Especially in security, we need to step back and ask ourselves why we think security needs to evolve. Is it because we’re still insecure? If so, then you’ll rage forever because there’s no “win.” Unless we want to define “win,” which…yeah…that’s a good start. I feel this is an industry that can only define itself after the fact, rather than define some novel approach that is “oh my god” glorious and impacting. We’ll define our security methods and standards only after we try them out and see if they worked, or in what measure they worked. This is why I see ‘security’ more a science than a business discipline… *…now where’d I put my crack rock…*