|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [VulnDiscuss] Cybersecurity, Research & Disclosure Conference
From: Frank Knobbe (frank
knobbe.us)
Date: Fri Nov 28 2003 - 14:38:33 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 2003-11-28 at 13:37, Chris Wysopal wrote:
> I think there is too much bias in the security industry and you even point
> out that the paper in question was, "horribly slanted towards open systems
> and some of it poor taste".
I fully agree that there is too much bias in the industry. That bias
should be an opinion of someone, not necessarily a recommendation to
someone. Some people ask how to solve that bias issue. My response is
that everyone needs to evaluate for themselves what requirements they
have and what software will fulfill them. Yeah, in the end it comes down
to OpenSource vs ClosedSource or *nix vs Windows (realizing that some
Unices are ClosedSource), but the solution is to realize that there is a
choice -- which one you choose is up to you. Advocacy of OpenSource
should be about the option/freedom of choice, not the recommendation to
switch.
I know, I'm preaching to the choir here... sorry. I meant to reply to
this sentence:
> One way to get beyond bias is to come up with
> metrics that most people can agree on to compare software for security
> issues. We need more hard data and less opinions.
While I agree with your model (taking data points and comparing them), I
disagree with the notion that we "need more hard data". I believe we
have a lot of hard data already. What we need to do is comprehend and
execute the next step, and that begins with realizing that you can not
compare data *for* people -- only *with* people -- since the data set
varies with your audience. If your goal is to present a comparison to
the people, you will not have achieved nor learned anything. It is not
about creating a comparison and presenting it. It's about assisting each
to create their own comparison for presentation to themselves.
The security industry is currently caught in a period of "comfortable
stagnation". We know how to do the things we do, so we do then as part
of our work. Some of us truly know security and perform it. Others come
in with the appearance of being part of the group and selling/marketing
without much help towards the goal in the grand scheme of things. Even
those of us that do know security well are currently caught in a
never-ending performance cycle. What we need to do is break this cycle
and evolve security further. Some are doing it, the front-line
researches that come up with new ideas/concepts/gadgets. Paradigms are
slowly starting to change (for example abandonment of centralized
fortification and move towards distributed fortification), we just need
to help speed this up.
The security "market" is becoming more like show business these days and
some participants are becoming part of the problem, not the solution. I
think we all know what we have to do. It is time to roll-up our sleeves
and further advance security, not just sit back and collect more data.
Best regards,
Frank
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQA/x7JJpo+MRgtrF98RAtGjAKCLCj7BsQSMNCQkEnDNohz/3EzlWQCfaqec
kJOsA8WkJoAhNCdC20Qcd8w=
=7yoL
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]