Best practice or random rule ... diagnosing problems and running into annoyances

As often as not, I’ll hear someone talk about a “best practice” that they are implementing or have implemented. Things that run counter to these “best practices” are obviously, by definition, “not best”. What I find sometimes amusing, often alarming, is that the “best practices” are often disconnected from reality in specific ways. This is not a bash on all best practices, some of them are sane, and real. Like not allowing plain text passwords for logins. Turning on firewalls, restricting access to services/people/data to what/whom needs it. Best practices, the real ones, should be, generally, a small, focused set of rules that will address specific or general issues. The pain of implementing them, either within the organization, or external to it, is worth the investment of time, as they provide a definable, and measurable benefit. Most security best practices are like this. Most. Not all. There is another class of “best practices” which is better called security theatre. These practices do little to nothing to improve security, yet they are often implemented. This isn’t simply a security issue … there are all manner of thespian-focused as opposed to pragmatic practices. I’ve seen people claim mantles of providing “best practices” (of the thespian kind) as a way to differentiate their non-differentiated services offerings, simply because they wanted to do something their own way. Rather than make a hard core intellectual argument as to why your method is better, they try to stop the discussion by anointing it as “best”. Thespian to the core. These practices often aren’t best, and as often as not, aren’t even good. Sometimes downright frighteningly bad. I ran into one of the thespian security “best practices” recently. I won’t go into specifics, but the net result was that the group had problems with a standard header produced by our ticketing system. The one we’ve been using for years without problem. They objected to a specific format. Claiming, of course, that it was “best practice” not to do this. Which is absurd at best. But, I like to try to keep customers happy. Even if we aren’t wrong, I’ll look into accommodating their request. So I spent some time working on automagic rewriting of the header. I had to do this in such a way that it didn’t break everything else. Got it working, but somehow I think we’ll find it does little to solve the problem we were observing. Yeah … about those thespian “best practices”. Everyone likes the mantle of using them. Like all rules, you should use the smallest, most consistent set. Complexity and insecurity arise from complicated rule sets of dubious value. Its better to understand why a rule is in place, than to accept that it should be in place … lest you break something that is working … specifically to use a “best practice”. Which isn’t best.