Risk Assessment Woes -- A Doomsday Warning
Posted by John Verry on Wed, Apr 01, 2009 @ 11:50 AM
I’m well aware of Marcus Ranum’s very considerable contributions to the Information Security space; however, I don’t believe his most recent blog post/whitepaper is one of them. My challenge isn’t with the vast majority of Ranum’s assertions regarding the challenges of Risk Management, the importance of security practitioners communicating the honest truth, and management’s ability to irrationally rationalize away risk. On the contrary, I think virtually all of his observations are spot-on. Rather I am frustrated that Ranum strongly contemplates the position that unless we “throw it out and start over” that we are doomed to perpetual Information Security failure.
I know that Marcus is not alone in his opinion. Our Audit Practice Area Manager has waxed eloquently on the subject to me more times than I would prefer. Further, I will admit there are short stretches where it feels the same way to me. So what’s my beef with “The Anatomy of Security Disasters”? Simply, as one of the few Information Security “celebrities” I think Marcus has an obligation to roll up his sleeves, take a leadership position on the subject, and get the wagons moving back westwards again.
“Throwing it out and starting over” (e.g., 40M lines of legacy code can’t possibly ever be considered truly secure) is impractical to consider – for a number of reasons – most notably it ignores the “business risk” (that dwarfs the Information Security risk of securing what we have in place now) inherent in the proposition. I think the posting ignores the significant advances of the last 5 years. Escalating security incidents are not a reflection of declining Information Security postures, rather, it is a reflection that the threat agents and their (growing fiscal) motivations are increasing at a rate that is greater than our improvement.
Security is by no means where it needs to be yet, but it is definitely better than where it was. We have eight years of client Penetration Tests and audits to demonstrate it. I’m also optimistic that initiatives like ISO-27001, OWASP, and SAMM will continue to move security forward (hopefully at an accelerating pace).
I would strongly encourage everyone to read “The Anatomy of Security Disasters”, there are many, many, well made points. Perhaps none better than the concerns expressed about Web 2.0.