Richard Bejtlich, CSO at Mandiant, has exposed the confusion over right and wrong in security. Writing in his TaoSecurity blog, he has listed the “Top ten ways to stir the cyber pot”, or ten subjects guaranteed to start an argument/flamewar. On one level, it’s a bit of fun; but at a deeper level it demonstrates that there is no single understanding of what security is or should be. Without that single understanding, there can never be a single solution.
Top of his list is a conundrum that has exercised pundits for years: "Full disclosure" vs "responsible disclosure" vs whatever else. This issue is relevant right now, with the recent public (full) disclosure of a Java vulnerability and exploit. Some claim that this exposed users unnecessarily when it was rapidly included as a 0-day exploit within Blackhole. Others point out that only the full disclosure forced Oracle to fix the weakness.
Next is Threat intelligence sharing. There is little doubt that it could improve security, and it’s what most governments are promoting. But critics fear it is a pretext for law enforcement to gather wholesale information on the public without the need for judicial oversight. Then there are privacy issues about whether it can be done without divulging personal information.
Third is the Value of security certifications. You can never guarantee that anything is 100% secure; all you can say is that we haven’t found a weakness. So one danger is that ‘certified secure’ can lead to a false sense of security, and ultimately causes more problems than it solves.
Other topics include the Reality of ‘cyberwar’: is it the biggest threat ever faced by western civilization; or is it like Orwell’s war between Oceania, Eurasia and Eastasia, a war with ulterior motives designed to consume human labor and commodities?
The reality of this list is that there is no correct view of security: each has at least two correct answers – and three since users will generally ignore the experts and do what they want anyway. You can see Bejtlich’s full list, with a few others contributed by commentators, here. “I don't think we'll ever resolve any of them,” he adds.