The Six Dumbest Ideas in Computer Security

A critique of six widespread but flawed ideas in computer security that undermine effective protection strategies.

  • Default Permit: Allowing anything not explicitly denied is a widespread but risky security approach. It's like leaving the door open to potential threats, making it hard to keep up with new vulnerabilities. The more secure alternative is "Default Deny," where only explicitly allowed actions are permitted.

  • Enumerating Badness: Tracking and blocking all potential threats is an inefficient method, given the rapid growth of malicious entities. Instead, focusing on "Enumerating Goodness," where only known, trusted actions are allowed, offers a more effective defense.

  • Penetrate and Patch: Continuously fixing security holes after they are exploited is akin to "turd polishing"—it temporarily improves appearance but doesn't fundamentally secure the system. Secure design from the start is a better strategy.

  • Hacking is Cool: Glorifying hackers and adopting a hacker mindset within security practices reinforces the problem rather than solving it. Focusing on good engineering practices is a more sustainable approach.

  • Educating Users: Regularly educating users on security practices is an ongoing, ineffective strategy, as the same issues reoccur. It's better to design systems that don't rely on user vigilance to be secure.

  • Action is Better Than Inaction: Rushing to adopt the latest technology or security measures often leads to poorly thought-out implementations. Pausing, thinking, and learning from others' experiences often results in better, more secure outcomes.

The full post is available here.