It’s pretty rare when you run across a sekurity mastar who gets it. But, this is one of the best things I’ve read in a long time.
I guess my sense of amazement at the pitiful state of the industry should wane over time. It hasn’t. The mastars keep getting more letters after their names, and bigger salaries. (I’ll set aside the fact that I have met CISSPs who are unable to parse, much less write, a script to manually patch and secure a Windows box….) Meanwhile, various vendors’ products render many solutions nearly unusable.
This one is along the lines of what I’d planned to speak on at Shmoocon 2013. I was writing my CFP response, and got to counter arguments I didn’t think I could easily refute. Are you really securing things if you have to increase the attack vector to use a tool? Are things more secure if you have to install Java and Flash for a tool to work? How about .NET?
It’s wrong of me to think such things; I should just shuttup, and improve my Minesweeper skills.