Hardly a week goes by that I don’t get an email about some “security best practice” or the other. Some examples are “Best Practices For Detecting Insider Threats”, “Best Practices for DDoS Mitigation”, and “Best Practices for Security in Linux/Unix”. The same old best practices keep circulating around but we don’t seem to be learning from them. If you don’t believe this to be true, why do we still see SQL injection attacks being used and succeeding?
I decided that having the same old security maxims repeatedly espoused to us isn’t working and we need something new. But what kind of a paradigm shift is called for? Then I remembered the aphorism, “Nothing is ever a total loss. It can always be used as a bad example.” That lead me to conclude we can learn good security practices by studying bad security practices. Looking at bad security practices is valuable because it gives us the opportunity to learn from other people's mistakes without having to make them ourselves. The learning experience is reinforced because we get laughs out of it at someone else’s expense. So, I started collecting “security worst practices” and learning from other people’s mistakes and misfortunes. Winston Churchill once said, "All men make mistakes, but only wise men learn from their mistakes." Join me for a journey of "Security Worst Practces" as we learn from other's mistakes.