NEW YORK–The term “best practices” is high on the list of overused and nearly meaningless phrases that get thrown around in the security field. It forms the basis for regulations such as HIPAA and PCI DSS and yet if you asked a random sample of 10 security people what the phrase meant, you’d likely get 10 different answers. But what if there aren’t actually any best practices?
“I think there are no best practices, just things that work for you in the right scenario,” Jeremiah Grossman, CTO of WhiteHat Security, said in an interview at the OWASP AppSec USA conference here Thursday. “What’s important is trying to ascertain what those are.”
The process of discovering what works in security has traditionally been one of trial and error. Insert Shiny Defensive Technology A to protect Vulnerable Slot B, then sit back and see what happens. If, or when, it fails, you replace it with a new technology and see whether that works any better. But Grossman said that he’s seen a shift in recent years away from that kind of process and toward a more empirical one.
“It’s metrics-driven. So, suppose you have a Web site that you just put up and it’s full of bugs and when they’re found, they’re fixed fast,” Grossman said. “That tells you that you probably have a QA problem. If you have another site that has just a few bugs but when you try to get them fixed it takes forever or it doesn’t happen at all. That could tell you that your developers need training. Maybe the don’t understand what cross-site scripting, so they need some education on that. It’s about which one works for you in which scenario.”
The movement toward a more numbers-driven approach has helped organizations get a better handle on what’s working in their security programs, Grossman said, and gives them actual evidence to back up their assertions.
“How do things get to be best practices? Because some expert like me or someone else said so,” he said. “I absolutely think things are getting better. Overall, the Web is more secure, measurably more secure. But at the same time, the attackers are getting better and more organized. If you’re a target of opportunity, you just have to be better than average. But if you’re a target of choice, you better be really good at detection and incident response.”