I gave a presentation today at Security Decisions on the Top Ten Security Myths. Here they are:
- Security through obscurity is a bad idea.
- Strong passwords are strong.
- Altruistic bugfinding is beneficial.
- You can’t quantify risk.
- You can’t get ROI from security.
- Security is about process, not product.
- SSNs are secret.
- Program x is more secure than program y.
- Stand up to your boss and "just say no."
- Security is failing.
To be clear, I disagree (totally or in part) with all of these things. What do you think?