If someone in security isn’t yet convinced it is as much an art as it is a science, I’d expect they’ve not done security long enough (or they’ve been lucky to work in a high security environment or focus solely in academic computer science).
For as much as security wants credibility and to make a difference, it dashes our efforts when someone runs into a room waving around an automated vulnerability report and demanding that every (every!) item be fixed or business will be denied. …including such idiotic things like “hiding” http 403 errors because they give away directory presence or a single weak cipher is enabled or something else so low as to be valueless to any attacker. Or at least less value than it costs to mitigate the low issue! It hurts worse when this report-waving person is another “security” dude. To those people, way to sour everyone’s grapes.
I also read a recent post on Bejtlich’s blog as well as the links and comments for the post. Some great thoughts in there.
I’m convinced of a few things…
First, there are very few (if any) correct answers that work on a global or universal or even “just really large” scale. What works for one organization may not work for another, for any countless reasons. We have lots of great ideas, collectively, in security, most of which probably work. The biggest problem is inertia and getting someone to actually devote some time and resources to the cause in the first place.
Second, the only way to combat the crap being passed around is to be an expert in security (in as many veins as possible) and being able to maintain credibility to educate management. This means being pragmatic and yet effective. It means being able to talk to someone and explain why issue #87 is not the Big Deal they’re running around trying to make it be, just because it appeared on an automated scan. This means not making ultimatums over useless low risk issues and actually tackling issues and initiatives that will actually have some value (even if you don’t understand fully how to measure and prove that).
I really think good security geeks know in their gut when something is useful to the cause or not, even if it is hard to actually justify it every time.