Monday, February 05, 2007

So, Is Security An Art?

Now, I realize that for some this question will sound like "Is plumbing an art?" or even "Is accounting an art?"  However, I think now is not a bad time to ponder this one, again. You might recognize this post as being of the type "written_while_flying" :-) only more so since it is actually of a type "written_while_flying_from_Europe." :-)

It started from a CrateMaster 2000 joke about a CVSS. And then this comment came in: "CVSS is the same way. It tries to reduce something to a single number (or set of numbers) that is inherently complex. It gives the appearance of scientific legitimacy to something that is as arbitrary as a game or movie review. ("I give this vuln two thumbs  up!!!")."

And then this: "The fundamental problem with cyber-security metrics is that the things we can
easily quantify are rarely interesting, and the things that are interesting are hard to quantify..."

On the other hand, many folks in our profession are sitting on huge piles of checklists and counting the days when security becomes a formal if unexciting discipline, reduced to a set of simple, and, well, not so simple, rules that everybody would need to follow (and some actually would). A science of sorts. Or a least a management discipline.

As I put it in my landmark :-) post on "Will Security Ever Be Done?" (also some discussion here) I find this complete transition rather unlikely. However, I think vuln scoring is picking a wrong battle for the "security is an art" types. Say whatever you want, but a well-define vuln scoring seems perfectly doable, even if not trivial. And CVSS is a quality effort to get there, with some results to show.

Now, on the other hand, something like incident response will never become formal and will not be reduced to just following a checklist (even though incident response checklists are immensely useful!), just as - analogy alert! - police investigative work will never be reduced to following a formalized procedure ...

How about making the next step along this road: are those parts of infosec which are akin to art immeasurable by definition (kinda like poetry)? This question should be left unanswered for now (esp. given that I am finishing this post at Mini MetriCon 2007)

No comments:

Dr Anton Chuvakin