Following a highly enjoyable and usefully challenging conversation with Eric Leandri from Qwant.com I was inspired to consider some guiding principles for conducting security analysis.
With an obvious hat tip to the Zen of Python the following is what I am aspiring to meet in the increasingly data-driven security consulting work I am engaged in:
If it’s hard to explain, it’s probably bad analysis.
If you’re not making a decision easier what’s the point?
Hypotheses without goals are pointless.
Measurement without hypothesis is not analysis.
Explicit and transparent analysis matters.
Beautifully designed output matters.
I’d love feedback from anyone else working in the field.