Linus Torvalds, famed creator of the Linux kernel, really dislikes security people. He says in a recent online posting and a recent Network World article (linked from linuxworld.com) that security research is a “circus” and a lot of security is simply posturing. Now the thing about Linus is (and you certainly don’t need me to tell you this) he happens to be right more often than wrong. He’s catching a lot of heat for his comments here but the truth of the matter is he’s right. Security is a circus and as a discipline is nearly non-existent.

When you meet with your vendors or peers and they identify themselves as “security guys” ask them seriously, what does that mean? What do you do? Our firm which could be classified as a security firm, and usually is for simplicity’s sake, focuses not necessarily on security specifically but on making things work well. From networks to applications to even some processes we try to look at things from a “what works best” posture and build from there. Following sound principles up front will naturally build in good security - it just works. This is the “secret” most “security guys” don’t want you to know and probably don’t know themselves. Security isn’t something that can be packaged and sold, it isn’t some fantastic destination you’re going to eventually arrive at. In fact, it isn’t even its own discipline nor should it be.

There are some that come in with their clipboards and checklists (and really I love checklists) and are ready to mark off all the regulations you’ve met. There are some that come in with firewalls and are ready to say “you’re perfectly safe now, the firewall protects you.” There are even others that come in and focus in only on a certain aspect of your system, like a web server for instance, they neglect everything else. There are, of course, the bug squashing variety that get their jollies by posting the latest XSS attack against some obscure web software on full-disclosure. Then my personal favorite, the Zero Day Heroes (ZDH), they want to find something before it even exists. All you need is a ringmaster shouting, “Ladies and gentlemen, children of all ages...”, before directing the crowd’s attention to today’s show in the center ring. While I’m sure this is all exciting and certainly has its place, it simply cannot occur in a vacuum devoid of any other consideration. This is where and why security as a discipline fails, it thinks no other discipline exists.

The truth is you need to take all of these things into consideration when building a system or network. You need checklists to ensure that all the critical steps are taken and you need firewalls to keep out unwanted traffic. You even need the Zero Day Heroes on the day they find some flaw in a system you’re using heavily. More importantly, you need to get your developers and network people on the same page, get them engaged. You need to talk things over, rationally, with the business folks to make sure you and they are on the same page. You have to realize that yours should be an engaging job not an exclusionary one. These things have to be kept in perspective and that’s one area where security professionals fail - they think their area is all that matters. The show will go on with or without the “security guys”, so the question is do you want to be a clown or a lion tamer?