Over the holiday break I spent a lot of time reading and thinking about what the security problem really is. It's really hard to describe, no analogies work, and things just seem to keep getting worse.
Well, things will probably keep getting worse, but I think I've found a way to describe this almost anyone can understand. We can't really talk about our problems today, which makes it impossible to fix anything.
Security is the same problem as World Hunger. Unfortunately we can't solve either, but in theory we can make things better. Let's look at the comparisons.
First, the problem we talk about isn't just one thing. It's really hundreds or thousands of other problems we lump together into one group and give it a simple yet mostly meaningless name. The real purpose of the name is to give humans a single idea they can relate to. It's not meant to make the problem more fixable, it just makes it so we can talk about it.
Security includes things like application security, operational security, secure development, secure documentation, pen testing, hacking, DDoS, and hundreds of other things.
World hunger includes homelessness, hunger, malnutrition, lack of education, clean water, and hundreds of other things.
Lots of little things.
Second, the name isn't really the problem. It's what we can see. It's a symptom of other problems. The other problems are what you have to fix, you can't fix the name.
What we call "security" is really other things, and the real problem is rarely security, it's something else, security is the symptom we can see, the real problem is less obvious and hard to see.
In the context of world hunger the real problems are things like clean water, education, equality, corruption, crime, and the list goes on. Hunger is what we see, but to fix hunger, we have to fix those other problems.
We can give people food, but that doesn't fix the real problem, it makes things better for a day or a week. This is exactly how security works today. We run from fire to fire, fixing a single easy to see problem, then run off to the next thing. We never solve any problems, we put out fires.
So assuming this analogy holds, the sort of good news is that world hunger is slowly getting better. The bad news is progress is measured in decades. This is where my thinking starts to falter. Trade can help bring more progress to a given area. What is the equivalent in security? Are there things that can help make the situation better for a localized area? Will progress take decades?
If I had to guess, which I will, I suspect we're in the dark ages of security. We don't approach problems with a scientific mind, we try random things until something works, and then decide that spinning around while holding a chicken is what fixed that buffer overflow.
What we need is "security science". This means we need ways to approach security in a formal reproducible manner. A practice that can be taught and learned. Today it's all magic, some people have magic, most don't. Remember when the world had magicians instead of doctors? Things weren't better back then no matter what those forwards from your uncle claims.
This all leaves a lot of unanswered questions, but I think it's a starting point. Today we have no starting point, we have people complaining everything is broken, people selling magic, some have given up and assume this is how everything will just always be.
What will our Security Renaissance be? What will security science look like?
Join the conversation, hit me up on twitter, I'm @joshbressers