if it doesn’t sting sometimes, you’re not doing it right

I don’t yet have a full-on crush on Gunnar, but a bit in a post/interview of his reminded me of a concept I like to drive home. In the third part of his Brian Chess interview with my emphasis:

Ever wonder why so many programmers are so bad at security? Part of the problem is that most of them don’t know they’re bad. Generally speaking, people are bad at assessing their own strengths and weaknesses (read this). That means you need to seek objective measures of your work. If it doesn’t sting sometimes, you’re not doing it right.

In the (too distant) past I’ve done some weight-lifting, and very recently have taken up trying to get into the running habit. Even in those realms, I darn well know that unless it hurts (in a good way), you’re not making progress. This is the same in self-serice car repair. This is the same in learning a new game. This is the same in IT ops (we learn the most when shit is broken.) This is the same in security.

I have this “in-progress” unpublished post (for like the past 2 years!) that is just this beefy list of security “laws” or other rules for those of us in security. One of the most recent ones I added was something similar:

Doing security right means finding that happy medium where you are bouncing in between transparent security and breaking things. For instance, tuning the perfect firewall rule means tightening it down until it breaks something, then loosening it just enough to make it work again.

Brian Chess wasn’t necessarily meaning it strictly that way, but we all certainly need to be ok with having something sting now and then, because that is when we get better and learn and also reinforce that we’re not just sitting in some ignorant funk where everything is wrong and we just don’t know that it’s wrong. “Wow, our logs sure are clean,” which glosses over the fact that your logging has been broken for weeks.