http://emergentchaos.com/archives/2006/08/so-this-ummm-friend-of-mine-umm-has-a-problem-with-security.html The Emergent Chaos Jazz Combo Mon, 15 Mar 2010 15:02:09 +0000 http://wordpress.org/?v=2.9.2 hourly 1 http://emergentchaos.com/archives/2006/08/so-this-ummm-friend-of-mine-umm-has-a-problem-with-security.html/comment-page-1#comment-2441 Iang (The Market for Silver Bullets) Wed, 09 Aug 2006 09:53:28 +0000 http://emergentchaos.com/?p=1860#comment-2441 In my paper on Silver Bullets I describe <i>why</i> Best Practices are not necessarily good practices. On paper they can even be downright bad practices, and nobody will budge. Whether that happens I'll let others speculate on! In my paper on Silver Bullets I describe why Best Practices are not necessarily good practices. On paper they can even be downright bad practices, and nobody will budge. Whether that happens I’ll let others speculate on!

]]> http://emergentchaos.com/archives/2006/08/so-this-ummm-friend-of-mine-umm-has-a-problem-with-security.html/comment-page-1#comment-2440 Phill Fri, 04 Aug 2006 23:10:50 +0000 http://emergentchaos.com/?p=1860#comment-2440 OK next round is at my blog, follow the link. <a href="http://dotfuturemanifesto.blogspot.com/2006/08/legislating-virtue.html" rel="nofollow">http://dotfuturemanifesto.blogspot.com/2006/08/legislating-virtue.html</a> I think that you overestimate the power of legislation here. OK next round is at my blog, follow the link.
http://dotfuturemanifesto.blogspot.com/2006/08/legislating-virtue.html
I think that you overestimate the power of legislation here.

]]> http://emergentchaos.com/archives/2006/08/so-this-ummm-friend-of-mine-umm-has-a-problem-with-security.html/comment-page-1#comment-2439 Iain Wilkinson Thu, 03 Aug 2006 03:52:57 +0000 http://emergentchaos.com/?p=1860#comment-2439 The phrase Best Practices hides a big problem from end users - you can never have perfect security. Beyond this, following industry wide best practices simply means you have exactly the same vulnerabilities and holes as everyone else. Like Mordaxus said, what an organization needs to do is good practices and those can only ever be specific to that organization. This is a situation where one size defiantly doesn't fit all. The phrase Best Practices hides a big problem from end users – you can never have perfect security. Beyond this, following industry wide best practices simply means you have exactly the same vulnerabilities and holes as everyone else.
Like Mordaxus said, what an organization needs to do is good practices and those can only ever be specific to that organization. This is a situation where one size defiantly doesn’t fit all.

]]> http://emergentchaos.com/archives/2006/08/so-this-ummm-friend-of-mine-umm-has-a-problem-with-security.html/comment-page-1#comment-2438 Mr. X Wed, 02 Aug 2006 14:34:33 +0000 http://emergentchaos.com/?p=1860#comment-2438 Great post. In reply to the comment by Mordaxus, I think your thought can be extended into an even larger realm regarding the language that we employ within the field. What's a "secure" system? Why is secure shell "secure"? My ATM card is branded as having "total security protection"... I think we need a fundamental levelset in the language that we employ. Great post.
In reply to the comment by Mordaxus, I think your thought can be extended into an even larger realm regarding the language that we employ within the field. What’s a “secure” system? Why is secure shell “secure”? My ATM card is branded as having “total security protection”…
I think we need a fundamental levelset in the language that we employ.

]]> http://emergentchaos.com/archives/2006/08/so-this-ummm-friend-of-mine-umm-has-a-problem-with-security.html/comment-page-1#comment-2437 Mordaxus Wed, 02 Aug 2006 12:57:56 +0000 http://emergentchaos.com/?p=1860#comment-2437 Donn Parker had a great argument on why "best practices" are a hindrance. There are two main reasons. The first is that if it is a "best" practice, the very words hinder development of better practices, because you're already best, right? The second is that a "best" practice does not have to be a <b>good</b> practice. It can be the best of a collection of wretched practices, merely the least wretched. Parker said that we should stop talking about best practices and start talking about good practices. Sometimes, good enough is good enough, and if it isn't good the fact that it is best is mostly faint praise. Donn Parker had a great argument on why “best practices” are a hindrance. There are two main reasons. The first is that if it is a “best” practice, the very words hinder development of better practices, because you’re already best, right?
The second is that a “best” practice does not have to be a good practice. It can be the best of a collection of wretched practices, merely the least wretched.
Parker said that we should stop talking about best practices and start talking about good practices. Sometimes, good enough is good enough, and if it isn’t good the fact that it is best is mostly faint praise.

]]>