Wednesday, November 10, 2010

Please NO MORE Top 10 Security Measures!

I have a habit to collect web articles about security measures to apply for specific security situations. Those articles usually have a title like "Top 10 security measures for the administration of XYZ" or "Top 20 vulnerabilities in XYZ servers". And I now have a feeling that it's a bad thing to present a security approach that way.

Let's take a few examples:
What's good in these articles is that you can use them for what they are: a grid to think about your own security. But they don't provide exhaustiveness and, for that matter, they may not even be suitable for your own case.

That's a question of risk management (of course) but, putting away big words like these, you'd simply wonder why there are 5, 10 or 20 top measures and not 2, 6, or 11. The measures in these articles are gathered not to provide a level of security, or a level of security maturity, but to make for a long, publishable list. And that you should implement only the top 3 measures, or only measures number 2, 4 and 5 is left up to you. Not mentioning that you may not implement 2, 4 and 5 in this order but may very well begin with number 4 or 5.

What these articles lack is an identification of the precise risks addressed by these measures and the location of these measures on a security maturity scale.

Let's add an illustration to this (nasty) comment: Friends recently asked me to attempt penetration on a website that they wanted to secure. What I found was:
  • an easy access to htpasswd file,
  • obvious passwords that John the Ripper guessed in no time and
  • cleartext credentials to access the database.
If you look at the OWASP list, you'll find the corresponding measures at number 6 and 7. Yet, all Apache admins know that they are on maturity level zero. Furthermore, for that precise site, OWASP's number 1 (code injection) was almost irrelevant.

That's not to say that OWASP's work (or anyone's listed above) is not good. It is, and useful if used correctly. It's just to say that I'd prefer to see more "Beginner level 7 security measures for XYZ servers" or "What to do if XXX is critical for your company: From step 1 to step 4" articles.