
Checklist-Driven Security Considered Harmful - CiPHPerCoder
https://paragonie.com/blog/2017/04/checklist-driven-security-considered-harmful
======
raesene6
For me the problem that this article describes, people using the OWASP Top 10
as a checklist, isn't that checklists are innately a bad idea, but that the
OWASP Top 10 isn't meant to be a checklist.

The Top 10 is a document designed to raise awareness of various web
application security issues. Unfortunately it's a victim of its own success.
People saw a defined list and jumped to the incorrect conclusion that this was
a definitive list of the things you should look at to have a "secure" web
application.

Unfortunately it's now become embedded in various places such that any attempt
to change it causes lots of problems as people who are using it in ways it
wasn't intended to be used get annoyed that if changed, it will no longer work
for them.

On the more general point of checklists and security, I actually like them as
a means of providing a common baseline of security in various arenas. The
important part is realising that a checklist is generally a starting point and
not the "be all and end all" of any effort.

------
cies
While I agree that "security" cannot be provided by a checklist, I very much
think that security checklist (among other checklists) is still important to
keep around.

If only for making sure you check for security issues that have slipped
through before.

Sure I rather put all checks "in code", as part of an automated test suite.
But we all no that for some checks that's simply not possible/feasible.

------
cscharenberg
This argument against checklists would apply anywhere for checklists:
healthcare, airplane pre-flights, auto mechanics. Checklists enforce a minimum
set of thought processes.

Suggesting checklists be discarded because some people don't do more than the
minimum is a ridiculous misunderstanding of their value and human behavior.

This post argues for a detailed thought process of "Vulnerability Taxonomy"
which could lead to new ideas, but also fails to enforce any minimum.
Moreover, by encouraging exploration of various security areas (which is good)
it still leaves you to your own knowledge which will be faulty and
insufficient in some areas.

End result of this sounds like you'll have your own homegrown checklist, but
it won't be called a checklist and it still won't adapt automatically and
thinking will be required.

------
forgottenacc57
Using the serious sounding "Considered harmful" does not give the air of
legitimacy that the author seeks.

"Considered harmful", "Considered obnoxious".

~~~
CiPHPerCoder
The title bit is a meme, not a plea for legitimacy.

While you can certainly dislike the meme, the interpretation you chose in your
comment reads like a personal attack.

~~~
brudgers
"Considered Harmful" predates Richard Dwakin's coining of the term "meme".
[https://en.wikipedia.org/wiki/Meme](https://en.wikipedia.org/wiki/Meme)

'Insider jokes' often create ill will in their outsiders. The web is a big
place.

