No Exit
SecurityWeek just published my latest article “No Exit: The Case for Moving Security Information Front and Center“. “No Exit” is a reference to Sartre‘s existential play where three people wind up locked in a room together for eternity driving each other crazy. They are in hell. They represent developers, QA, and security people for the purposes of this article (or three random devops guys, your choice).
After I wrote this, I read Josh Bresser’s take on the state of cybersecurity education and I think he makes a great point that we really need someone to study why we are failing so badly.
At some level, we haven’t solved the (unsolvable) problem of physical security either and I think that the analogy between cybersecurity issues and physical security issues is not the worst. As a society, we need to decide the level of acceptable loss and then set our spending to correspond to the level of security that we can live with. I just hope that it is a little better than we are currently doing.
P.S. For the record, I am a member of OWASP and a huge fan of the work they have done.