Some great insight on thinking about security

Aug 22nd, 2007

Comments: 2
Category: General Security

Some great insight on thinking about security

TaoSecurity: Marcus Ranum Highlights from USENIX Class
There’s some very good points here in TaoSecuritys summary of a Marcus Ranum session at Usenix.
I’ve not seen the original talk but the summary makes me wish I’d been there.
The point on the perimeter being a complexity management tool is very well made in reference to de-perimeterization. It’s all very well saying that each individual device needs to be able to stand alone from a security perspective but it’s still a lot easier to manage the security of the wider environment when you’ve got some control over what can get in at all, and the perimeter can and does provide that.
The points about quantification problems seem to have provoked a response from Alex . I actually think having seen these arguments come up repeatedly on blogs and on the CISSP forum and also having started reading “Security Metrics” by Andrew Jaquaith, that there’s less distance between the people who are strong proponents of quantitative analysis and those who are proponents of qualitative analysis. One thing that has struck me in these debates is when you look at the examples on both sides they tend to be in different areas of security.
My feeling is that there needs to be a mix of the two styles depending on where they’re most appropriate, but I’ll reserve expanding on that till I’ve sorted my thoughts on the matter out better as it’s a bit of a minefield…


  1. Alex August 22, 2007 at 10:10 pm

    I don’t think his points were so much about quantification as much as they are about risk expression itself, no?
    Please understand that, like yourself, I’m all for qualitative analysis when it’s the most appropriate tool for the job. And Marcus (who I have the utmost respect for and think the world of usually) would agree when pressed on those points I raise there. But there are too many folks out there that might take him more literally than he may intend there.

  2. Rory August 23, 2007 at 7:33 am

    I see what your saying about Marcus’ comment being about risk expression. Thinking about it, my feeling is it’s a combination of comments on risk expression (the use of the “Risk = Threat X Vulnerability X Asset Value” formula) and comments on how easy he sees quantification of the variables in that formula as being.(“one wild guess times another wild guess times another wild guess”).

Add a comment

Your email address will not be shared or published. Required fields are marked *