Security Renaissance

Mike Rothman’s Daily Incite for 12/21 had a short rant about checklist based processes.  Mike states:

The technology today is amazing. Years ago, if you needed a lobotomy they’d slice your head open. Then they came up with drugs to fry your frontal lobe. Nowadays it’s much easier. Just publish a CHECKLIST of “best practices” and see 90% of the lemmings follow you right off the iceberg. They’d probably just hand over their brains to you, if it was on the list. Checklists could be the downfall of modern civilization (and certainly the CSO’s role in it) because checklists don’t make you think. Automatons can execute on a checklist-based process. Security is not for automatons. There are too many folks that know about the checklist and therefore know how to beat it. So don’t run your security program on a checklist. Use your head, that’s what it’s there for. You can read this article on NoticeBored if you choose, but take it more as what you shouldn’t do.
http://www.noticebored.com/blog/2006/12/audit-checklist-for-information.html

I understand and agree with what he is saying here but, at the same time, I think that we’ve been forced into a checklist mentality on many things.  For example, take a look at the Payment Card Industry Data Security Standard (PCI DSS).  It basically boils down to what the payment card guys see as a recipe for security.  This is something that many companies are struggling to comply with and — ya’ know what? – it’s in a checklist format… 

So, I believe Mike is correct; following checklists alone is surely a stupid move.  But, I don’t think that you can totally avoid that approach.  However, just to help prove Mike’s point, here’s a clip from the PCI standard 1.1:

6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.

Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.

Notice that 6.6 specifies that, in 2008, a company will have to *either* use web-firewalls *or* do code reviews.  This, to me, is the essence of stupidity.  If a company only does one of these two things to meet the requirement, they are only partially shutting the door.  Web-firewalls cannot be 100% effective and neither can code-reviews.  But, the PCI guys are going to pronounce companies as reasonably secure if they do one of those two things.  So, Mike is right – if someone checks the box in that scenario, they are destined to walk right off the iceberg.

This entry was posted on Saturday, December 23rd, 2006 at 12:21 am and is filed under General, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.