Security professionals everywhere, myself included, might want to think long and hard about why the best security essay of 2007 wasn’t even about security.

It is a late entry to the running for 2007, published on a personal weblog on the 14th of December. The author, Ben Orenstein, is a software developer, and the essay is titled On the fundamentals of programming.

While the content of the essay never references security, even obliquely, all the principles touched on relate very well to security matters. As both a security professional and a programmer, myself, I believe I have a leg to stand on when I say this is probably the best essay of 2007 not only about security, but about its intended subject — programming — as well.

As Ben Orenstein put it:

To become a better programmer, one should practice like a musician.

The key is, as he observes, that one learns best and most completely by doing — not merely by reading and listening, and buying the most expensive toys. That applies to all fields of endeavor, including IT security. This message holds particular interest for me, not only because I’m both an IT security pundit these days (writing for this weblog) and a programmer, but a relatively recent musician. I finally graduated from a long-time loaner Samick bass to a brand new Ibanez Soundgear bass of my own.

It is only in retrospect that I realize I have learned about IT security primarily by doing in gradually increasing difficulty of the task. The framework doesn’t really exist for a proper iterative progression of tasks in IT security as it does for music, or even for programming if you look hard enough for it. In music, repetition of simple patterns (as I’m finding out first-hand, for the second time in my life) is enough to teach fundamental principles to the beginner. All it really takes is a basic ability to recognize patterns and a lot of practice, which generally takes the form of practicing scales or chords.

Some good examples of similar practice patterns for programming show up in Ben Orenstein’s essay, and in the comments that follow it.

Where do you find the same thing for IT security — or security even more in general than that? One can take a very unstructured approach, of course, in the form of simple personal privacy management, malware defense, firewall configuration, and all the other basics of personal security. Such practice, however, tends to take the form of learning how to use the currently available tools to provide the currently best understood security practices. It takes a better capacity for recognizing patterns, and a lot more practice, to sort out the principles that form the foundation of your practice, and such an approach tends to leave significant holes in one’s understanding of the basic principles of security.

How long could someone configure mandatory access controls and email encryption tools before one might arrive at the same conclusion as Auguste Kerckhoffs and Claude Shannon — that security through obscurity is not security at all? It could take years. In fact, you may never learn that lesson, as proven by a significant percentage of the people doing professional security work in the world today.

If I knew of a better way to learn by doing in the field of security, I’d share it with you, though. I’m just not sure how one would go about getting a clearer view of the underlying principles of security through practice than starting with the small tasks of security and working your way up in such an ad-hoc fashion. Formal instruction in security, the sort of thing you get from security certification courses and instructional seminars, hands you concepts on a plate. It doesn’t really give you the kind of deep understanding of concepts you get from practice.

Where do we go from here? What are the scales and chords of IT security? If you can figure it out, let me know.