Grim(m) Security Tales: Six Security Myths

Myth one: The problem isn’t our networks (which are pretty well protected, by the way). It’s the crappy software we write and put on the network.
Posted April 10, 2007

Ed Adams

(Page 1 of 3)

Information security mistakes are costly, damaging, and all too prevalent. Given the repercussions of poor security strategies (see recent incidents from organizations like TJX, AOL and the VA), one is inclined to believe change agents are in place.

However, organizations continue to drive their security efforts based on fallacies and myths, and make seemingly avoidable mistakes when it comes to information security. I’ll present six common myths, in no particular order:

• Network Defenses will Protect your Kingdom

• Technology/Tools are the Panacea

• Only “Bad” People are Bad

• Security ROI is the Beacon

• Secure Software is Costly

• The Security Breach du Jour is the Most Pressing

1) Network Defenses Protect Your Kingdom

The problem isn’t our networks (which are pretty well protected, by the way). It’s the crappy software we write and put on the network.

There is no discipline or rigor to software engineering like there is in other engineering disciplines. I’m a mechanical engineer by trade with certifications that verify my expertise in this craft. There is no correlation in the software world and we, as organizations that build and buy software, aren’t demanding a change.

Network defenses, like firewalls and intrusion prevention systems, have a place in a multi-layered information security solution, but they can’t protect us from the majority of vulnerabilities – those in the application layer.

2) Technology/Tools are the Panacea

I love tools. I worked for a software testing tools vendor for more than five years. But I also recognize that tools alone don’t make people smarter, nor do they improve the process through which solutions are built. They simply make people and processes more efficient in jobs they are trained to do.

Tools don’t teach a surgeon how to operate. I didn’t become a better mechanical design engineer because I learned how to use AutoCAD; it just made me more efficient in the job I was already trained to do. That’s the problem. There is no training in the application development discipline and no rigor in holding teams accountable to maintaining secure infrastructures. Tools have their place in a complete information security workflow but they require people who know how to operate them to be effective.

Page 1 of 3

1 2 3
Next Page

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.