Wednesday, 3 August 2011

Low drama security

I have setup a Facebook group and Google+, "Low Drama Security".

As with many others who have been in security for a long time, I have time and again seen good practice placed on the back-burner for theatre.

A few years back, SANS had a secure coding competition where text books with flaws were noted and the errors that are being taught were brought to light. All of these text books are still being used to train future developers.

One aspect of my ongoing research has been in looking at risk. In this I have been measuring patching stats and more in real organisation for the last few years. Some of the publications are starting to come out and the results are being made public. In this, compliance has been a bugbear. People are adding the appearance of security and missing key aspects of systems that actually come under constant attack. Routers and switches were found to hardly ever be patched and many did not even come under rudimentary controls.

I want to start a movement that will promote the fundamentals.

We need to start including good coding practice in courses (there are very few that do).

We need to start promoting solutions that make a real and measurable impact.

We need to start holding firms accountable for simple errors that should not have occurred.

We need to start making auditors accountable for actually validating security and not just following a checklist.

We need to promote real solutions.

I welcome all to join and start promoting real solutions and not simply theatre.

No comments: