Post from Anton Chuvakin, commenting a post from another blog, is one of those to hang on the wall.

The posting that he talks about got a point when it says that there are lots of people trying to follow best practices and standards instead of doing real security. I think it's partially right. If the process is lacking intelligence it won't work anyway. And I agree that there are some "best practices" that are not so best.

But Chuvakin is entirely right to say that using checklists is a good approach when previously there wasn't an approach at all.

They also agree on something that I always fought wherever I worked: "real security is a creative act". Yes, this is not a monkey job! A lot of people believe that perfect security is to create the perfect checklist and put it to be used by less qualified (and cheaper) workers. Not exactly like that. I've seen with my own eyes the difference between the same checklist being used by competent and not-so-competent people. Totally different results.

Some people say that this is trying to make mystery about the job, using "talent" to make it appear bigger than it really is. I think they are exaggerating and sub estimating the problem of doing real security. Without intelligence and knowledge you can't go far. But it's not only that. A standard or "best practice" is just like any other tool for specialists, like the scalpel for the plastic surgeon. When it's handled by the specialist, it can make miracles. When handled by the unskilled, do only harm.