Friday, November 17, 2006

SANS Top20 Controversy

Hmm, I didn't realize that SANS Top20 project has gathered so much controversy lately. So, it all started from these two posts (1 and 2) and the main flash point is this:

"As far as the nature of the [SANS Top20] list goes, it's important to realize that it's based on a bunch of people's opinions."

For whatever reason, some people took offense in this (e.g. here), but why? As a SANS Top20 contributor since 2003, I can tell you that the list is certainly based on opinions and I am happy that my expert opinion was counted among others.

But guess what? When you go to a doctor, what he tells you is his expert opinion, not necessarily raw facts. He used facts, hopefully, to form an opinion. In case of SANS, the list was even called "The Experts’ Consensus", which unambiguously implies expert opinions.

Now, there is another, more serious concern being raised: that the list is not as actionable now as it was a few years ago when it contained individual vulns and CVEs. Well, this one is not true: every item still has sections called "How to Determine If You Are at Risk" and "How to Protect." So, you read the first one and act; then, if exposed, read the second one and act. Done!

Dr Anton Chuvakin