• United States



by Senior Editor

Good FUD Vs. Bad: Is There Really A Difference?

Mar 18, 20094 mins
Application SecurityCybercrimeData Breach

A couple security bloggers suggest CSO Senior Editor Bill Brenner spreads FUD in a column that's supposed to be anti-FUD. Why he agrees -- to a point

Thick skin is a necessity for any writer. It doesn’t matter if they cover security, politics or do restaurant reviews. There will always be readers who disagree with an article’s thesis, and some will do so bitterly. That fact has been amplified in the last few years with the rise of the blogosphere.

My policy is to always respond privately to someone who takes me to task over a column or article. Whether they agree with me or not, they’re taking time to offer feedback and for that I’m always grateful. Publically, I’ll respond when the feedback is reasoned and shrug it off when someone drags the debate into the gutter with name-calling.

Two recent blog posts deserve the public response here.

The first was a post in the Emergent Chaos blog — one of my favorites — called “Who Watches the FUD Watcher” by someone calling himself Mordaxus.

Mordaxus didn’t care for one of my recent FUD Watch columns about fallout over security vendor breaches, which I said was appropriate. [See: Security Vendor Breach fallout Justified]

“Brenner watched the FUD as he spreads it,” he wrote. “Spare us the gotcha & How can we possibly trust CSO Online as a supplier of security knowledge when they can’t even compose a simple paragraph?”

He then asked why FUD Watch is “creating the very sort FUD they claim to watch?”

I responded in the comments section, thanking him for the feedback and offering him the opportunity to take me to task in a column that could run on CSOonline. We run columns under the banner of “Industry View” and this sort of thing fits the mold.

I haven’t heard back from him yet, nor have I gotten a response to an e-mail extending the same offer to tranquilo, keeper of the tactical-it blog.

His gripe concerned an article and podcast I put together a few months back in which Fortify’s Brian Chess predicted the impending death of pen testing. [See: Penetration Testing: Dead in 2009]

“Brenner’s article was sloppy,” he wrote. “He characterized Chess’s definition of penetration testing as “the art of probing company networks in search of exploitable security holes that can then be fixed.” This clearly refers to network penetration testing, but the rest of the article mixed quotes about network penetration tests and application penetration tests. It’s pretty easy to fabricate drama when you’re asking your sources two different questions. Did I mention our community needs a common framework?”

Let’s try to look past my irritation at being criticized by people who hide behind screen names while my identity is there for all to see. Put that aside and I think tranquilo makes an excellent point. The security community and journalists who follow it would definitely benefit from the common framework he’s talking about.

Security concepts get mixed up in the wrong language all the time. Industry heavyweight Chris Hoff has made the point over and over again as it relates to cloud computing. People often lack a clear understanding of what it is and talk about it and virtualization like it’s all the same thing, when they are different things. 

But the bigger point for me is that these bloggers suggested I’m spreading FUD when my column is pitched as anti-FUD. It’s a fair point; one that begs for a little clarification.

The column is indeed designed to put a spotlight on the kind of FUD that makes certain issues seem much more severe than they really are for the sake of generating publicity for a particular security vendor.

But the goal of the column is also to point out cases where FUD might be justified.

In the case of security vendors and other companies suffering data breaches, I think some FUD is necessary because security vendors are there to defend us and need to be held to a higher standard. Maybe that’s unfair. But it’s my opinion all the same.

Regarding the “death of pen testing” article: We didn’t publish it for the simple sake of fanning the page-view flames. Chess offered an opinion that we covered in hopes of generating the kind of public discussion that forces us to revisit our old views and be open to new ideas. I personally didn’t buy Chess’ argument and think pen testing will always be one of many important tools in the security arsenal. But it’s an opinion he’s entitled to make.

Running the article had the desired effect. We got plenty of good feedback and Core Security Technologies CTO Ivan Arce wrote a rebuttal Industry View column. [See: Twelve Reasons Pen testing Won’t Die]

So if Mordaxus and tranquilo are reading this, my offer stands. If you think I’m distorting the truth, say so in a guest column.