If a scan runs in a silo, do the results matter?

iang made an important point in a comment the other day:

And ... and ... cryptography people don't know much about security, and nore about risks, and risk people don't know about evidence and legal people don't know about user interaction and database people don't know about double entry and accounting people don't know about atomicity and none of any of the above should know anything about hacking 'n cracking.

And that's before we get to the business side. What a sorry state we are in :)

No question about it, over specialization creates a lot of problem. Some of this is driven by the increasing complexity of each domain. We get new tools that raise the levels of abstraction so we can work higher level problems (Java programs are not worrying about every little bit of memory, they are writing business logic), but what this also leads to is more complex tooling and so it drives every group deeper into their own specific silo.

Its espcially problematic in infosec because, security is system level property yet when its addressed at all, it is done in a tactical project manner.

It turns out other disciplines have similar issues. Here is a story on Angela Belcher (emphasis added)

CHEMISTRY CALLS ITSELF the central science, but few chemists find themselves at the crossroads of as many disciplines as Angela M. Belcher does. One need look no further than her title—the Germehausen Professor of Materials Science & Engineering & Biological Engineering at Massachusetts Institute of Technology—to get an idea that this self-described materials chemist is doing more than dabbling in the worlds of biology, engineering, and materials science.

"I love the idea of engineering biology to do nonbiological problems," Belcher explains. Her research takes biological systems, such as viruses and yeast, and guides their evolution so that they build technologically important materials from elements they would never find in their natural environment.

Her convergent approach to scientific research has won Belcher top honors for creativity and originality. In 2004, she garnered a MacArthur Fellowship—commonly known as a genius grant—and in 2006, Scientific American named her the research leader of the year. She also used her biomaterials and nanotechnology know-how to cofound Cambrios, a high-tech start-up in Mountain View, Calif.

"We've been getting really good in the last couple of years at using biology and biological mechanisms to grow and assemble materials and functional devices," Belcher says of her research. Right now she's using this approach to create materials for energy conversion and storage, carbon sequestration, catalysis, and biomedical applications. For example, her lab has coaxed a bacteriophage into building a rechargeable battery from cobalt oxide.

"When I started out, we were interested in making things because they were interesting materials," Belcher notes. "Now we're more interested in making something useful that has an impact. We want to help solve some of the most important problems in society. To do that, we have to learn more about the state of the art, what the problems are, and what the opportunities are in these different disciplines."

To that end, Belcher says that she is always trying to incorporate a diverse range of scientific areas into her research. "I'm on my toes every day trying to understand aspects of these emerging areas," she says. "I'm definitely not an expert in everything, but as our work progresses, I feel we have to raise our level of expertise."

So, what's Belcher's secret when it comes to breaking into a new discipline? "I have no problem admitting I know nothing about something and trying to learn it," she responds. "When we first started working in batteries, I didn't know anything about them, but I was willing to admit that and learn."

It's a tack Belcher has taken since her days as a graduate student at the University of California, Santa Barbara. For her doctoral research Belcher had three mentors—a chemist, a physicist, and a molecular biologist. She followed that up with postdoctoral work in electrical engineering.

Belcher's multifaceted approach hasn't always been looked upon so positively, though. When she started at her first faculty position nine years ago, she says, colleagues told her that she needed to pick a specific field to go into. They said that she should aim to be well-known in one particular area, rather than working at the interface of a number of different disciplines.

Now, Belcher says, it's so much easier to be a scientist taking a multidisciplinary approach. "I look at the graduate applications that come into my departments, and there are students from all different disciplines of science and engineering applying for one particular program. It's so great to see," she says.

"I think that multidisciplinary thinking and approaches are going to go a long way toward making major breakthroughs," Belcher says. "I think that can be key to pushing science forward and solving the next generation of challenges, whether it's in energy, medicine, or the environment."

BELCHER'S OWN RESEARCH GROUP is a living example of this multidisciplinary philosophy. Her students and postdocs come from chemistry, biology, physics, mechanical engineering, civil engineering, biological engineering, and materials science. "I bring students into my group because they're the smartest and most dedicated students I can find. And then, within the areas that I'm funded in, I kind of let them loose," she says.

"They work together and they speak together all the time," Belcher adds. She says she loves to walk out of her office to find her students teaching each other about their fields of expertise. "I select people who get along well together, which is key. I don't like competition within my group. That's always going to happen a little bit, but I like team building," she notes.

Oh, we can learn some lessons here. How much opportunity for improvement would there be if security people, and developers, admitted they didn't know much about the other domains, and began cross pollinating? Evolve, adapt, adept. Yo la tengo! Ya gotta believe.

The worst case scenario of not making these connections across domains is Munger's Fatal Unconnectedness:

What’s Wrong with Economics

1) Fatal Unconnectedness, Leading To “Man With A Hammer Syndrome,” Often
Causing Overweighing What Can Be Counted

I think I’ve got eight, no nine objections, some being logical subdivisions of a big general
objection. The big general objection to economics was the one early described by Alfred North
Whitehead when he spoke of the fatal unconnectedness of academic disciplines, wherein each
professor didn’t even know the models of the other disciplines, much less try to synthesize those
disciplines with his own.

I think there’s a modern name for this approach that Whitehead didn’t like, and that name is
bonkers. This is a perfectly crazy way to behave. Yet economics, like much else in academia, is
too insular.

Anyone who has worked on solving software security problems can relate to this. Consider static analysis, a commonly practiced anti-pattern goes like this.

0. Security people have a nagging suspicion that the developers' code might not be perfect
1. Security people buy the static analysis tool
2. Security people scan the developer's code
3. Security people hold a bug parade with unfiltered results and indulge themselves in "developer waterboarding" broadcasting a bunch of unfiltered findings

The result of this is increased hostilities between the development and security groups (if this is even possible). Many times, the findings are extremely context specific and if the security people barge in with only tools they miss the context, if they engage in developer waterboarding they miss the chance to make a good working relationship.

Here is how I would rewrite it (best case)

0. Security people and developers work to understand basic fundamentals in each other's domains - agree upon evaluation criteria for static analysis tool
1. Security and developers do a POC and select a tool
2. Security and developers refine rules and scan code
3. Security and developers integrate tools in SDL

Some more ideas on static analysis tools specifically here from Messrs. Chandra, Chess and Steven. If a scan runs in a silo, do the results matter?