Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rethinking Security: Securing Activities Instead of Computers

Posted by samzenpus on from the whole-package dept.

An anonymous reader writes: Security is not a property of a technical system," says independent security consultant Eleanor Saitta. "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users." But software development teams that understand what users want and what adversaries they face are very rare. And security engineers forgot — or misunderstood — what their job is: not securing computers, but securing activities that lead to the realization of greater goals.

3 of 55 comments (clear)

  1. Pointless Enterprise Speak. by cshark · · Score: 3, Insightful

    Look, I know the guys in suits buy into this crap, but there's really no reason to spread it on our walls.

    If you're going to provide a solution to a problem do it, describe it in clear concise english. This person hasn't actually said anything at all. They simply used a larger than necessary amount of words to do it.

    --

    This signature has Super Cow Powers

  2. What people want by sjames · · Score: 3, Insightful

    People want an attempted computer intrusion to look like The Matrix combined with William Gibson novels combined with red alert klaxons and people in military uniforms running around in a war room. They want it to be free, fool proof, and not require them to know or remember anything.

    Good luck!

  3. As an independent security consultant myself... by bobbied · · Score: 3, Insightful

    You are full of ...... It...

    (/sarcasim)

    Look, ANYBODY can claim to be an " independent security consultant" and it's stuff like this that sounds complex enough to be true. You can baffle people with BS if you know the buzz words, and even get consultant gigs from time to time, just hang out a shingle, buy a website and go to a couple of symposiums.

    Security is about common sense and risk management. You need to understand the risks (which means you need to know what they are) and that takes some domain knowledge, plus you need to know what the possible techniques are to manage the risks, but once you know what the risks are and what tools you have to manage these risks, doing the actual *work* is decidedly easy and not that hard.

    The moral of the story here is that if it sounds complicated coming from your "expert" then you need to fire them. If you cannot understand what they are suggesting needs to be done, they are just trying to separate you from your money, not provide you with security.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101