Via the New School (yes it’s awkward!) is a link to an article by Jay Jacobs: A Call to Arms: It is Time to Learn Like Experts. The pdf article is a bit of a heavy read, so skip ahead and read the meat starting at the section titled, “Information security is a wicked environment.” The article is excellent and has great points.
The short of it is, information security defenders don’t get very good or timely feedback to learn from. This results in lots of opinions from possibly faulty intuition. (Yeah, I’m grossly paraphrasing.) It really helps to ask the question, “How would I know if I am wrong?”
I like that question, and it’s something in defense that you can tackle which will result in some relatively quick feedback. It’s not dissimilar to testing your systems before and after a change to ensure whatever you’ve done is working as needed.
My only fear is the paper seems like it has an undertone that if only we learned properly and had effective feedback loops, we’d find the right answer to security. I’m not the biggest fan of thinking there is any right answer. I guess I look at it from the security side and would suggest no one in many centuries has solved the security propblem. (At least in general, there are plenty of resultant secure situations, but they’re situational.) I think this works nicely for the given example of developers and code security, but less so for more broad topics.
I guess I do also fear that rather than move on and say something like, “Patch systems,” we instead argue semantics and values and analysis of that suggestion for years, rather than just Getting It Done. My gut is still usually pretty accurate in determining whether someone knows what they’re saying/suggesting when it comes to security, but not because I spent excessive time analyzing them.