<snip>
I'm not going to disagree with this at all, however I would point out that standards are one thing, implementation entirely another. It's nice to have standards that provide guidance in security structuring, but without the tools to implement those guidelines, they're guidelines and not much more. Only in the past couple of years have we seen any really useful tools in this area, and the prices are out of reach of many organizations. (Like other things in technology, it would be nice if those prices would come down over time.)
<snip examples>
That's what I'm referring to when I say "we, as a security community" have only begun to try addressing these issues. Right now, organizations pretty much have to "roll their own" - not a very efficient way of solving a universal problem.
Hrmmmm. Seems I misunderstood the issues. I wasn't thinking along
those lines. Sorry 'bout that. :0 But then, I'm afraid there is always going to be the mix-and-match problem. Different products and processes were designed at different times for different purposes to deal with different threat/risk profiles. Plus, everyone's environment is different. There *are* tools that help make the job a little easier, but the best tools for the job are the carbon-based ones . . .
My $0.02.
Cheers,
George Capehart
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
