Friday, September 19, 2008
When was the last time you ran across a holistic IT security professional...
This week, I had the opportunity to speak at IT Security World on SOA and Security. My opening question was to ask attendees how many of them believe that security needs to be looked at holistically and lots of hands were raised. I then asked, if they thought that holistic included software development and all the hands stayed up. I then asked, how many of them actually had a software development background and pretty much every single hand in the room dropped.
Mark Curphey and Gunnar Peterson have blogged on the fact that security is 90% focused on breaking and 10% on building is just plain bad. A quick analysis of why this occurs is really simple in that to be a builder, you must understand how to write software while to break software you can get away with a simple operations/infrastructure background.
Gunnar and Mark, do you really think that the masses of security professionals will be willing to throw themselves under the bus by acknowledging that they may not be qualified to defend their own enterprise against future threats? Do you understand how long it takes not to learn a language if it is your first but to actually become competent? Do you think it is wise for an enterprise to wait around for security people to learn no matter how motivated a handful of them may be?
To refine one of Gunnar's comments: When was the last time you saw an attack drawn out as a UML sequence diagram? . Let me be on the record and say that I am guilty of not doing this either, but I have a valid reason. First, I absolutely despise sequence diagrams and prefer activity/swimlane diagrams instead as they show who clearly along with the boundaries. I have encouraged folks that especially draw process flows to choose this notation over more simplistic sequence diagrams.
For folks who want to truly be a holistic security professional, I personally endorse taking Gunnar's course at the upcoming OWASP conference. The challenge though is figuring out how to convince IT executives that the folks who currently consider themselves security professionals aren't really practicing anything more than network hygiene and that their is nothing holistic about their approach regardless of what they tell you...
Links to this post: