Wednesday, October 25, 2006

On Pete's "Top Ten Security Myths"

I loved Pete's "Top Ten Security Myths", even though a few look pretty dumb to me (I suspect they might be explained in the body of the preso. Pete, any chance of seeing it?)

Specifically, "Program x is more secure than program y" sounds pretty silly. Admittedly, the environment and the user/implementer have a more dramatic effect on the overal security than the secure code quality (if that is Pete's spin, that I'd buy it), but surely OpenSSH has more secure (due to more security audits and code review) than say, MS IIS 2.0 code base...

Also, "You can't get ROI from security," come on? When was the last time your firewall paid you some cash? :-) Can you tell me which brand is that so I can get of'em...

So, here is the list, stolen from Pete's blog:

  1. "Security through obscurity is a bad idea.
  2. Strong passwords are strong.
  3. Altruistic bugfinding is beneficial.
  4. You can't quantify risk.
  5. You can't get ROI from security.
  6. Security is about process, not product.
  7. SSNs are secret.
  8. Program x is more secure than program y.
  9. Stand up to your boss and "just say no."
  10. Security is failing."

Dr Anton Chuvakin