Those and the following, I believe, are examples of my thesis: the field is full of pseudo experts who are not really experts or who talk like they are not. A recent (yesterday, as I type this) example is a quote from a former colleague, now with Gartner, about Application Proxies. In article App Proxies: No Reviving the Dream, John Pescatore is quoted as saying, "When a new vulnerability comes out, you may have to rewrite the proxy. You can't put in proxy rules that can anticipate unknown" Which shows a horrible misquotation or a colossal misunderstanding of the basics of application gateway security.
That is to say, an application gateway proxy implements a controlled subset of a protocol. They aren't interesting in anticipating behavior. They only allow certain, specific behavior. That's fundamental to their security and why they should be attractive. Don't we know that? Surely, John does. I fussed about lack of firewall knowledge in experts back in November 2003 in blog entry, What do we think firewalls do?. I wrote in part about this problem across the board in network security in this Institute for Applied Network Security column.
So, we have security experts who are less than expert out there. Some are in that boat because they are or were expert in other fields and then "security" became more lucrative and/or interesting. Some, because they studied and took a test and got "certified." I mention this under the "certification" bullet in Security Redux, in which I say,
Certifications. They are great, especially if you do not have the opportunity to expose your knowledge at conferences and in print. But, they are no substitutes for experience. I know someone who has a CISSP but zero practical experience. It doesn't make this individual a bad or useless person. But it certainly does show.See, it is easy to be a network security expert nowadays. Anyone can do it.
And, would you say that the state of security on the network is improving, degrading, or staying the same?