Interesting Dialog on Spam Testing and Perspectives on the Analyst Business

I know that many of you read Security Incite Rants via your RSS reader or in e-mail, and that means you miss some of the comments. I'll point you to an interesting exchange about yesterday's spam testing post [read it here]. You actually need to hit the link on securityincite.com and scroll down on the page to read the comments.

I appreciate that Gordon Carmack of the University of Waterloo took the time to present a passionate and well thought out argument basically poking holes in many of my contentions about spam testing. Of course, I think he's wrong, and said so in my responses.

I also think he doesn't really understands the role of the analyst. Or maybe he does and just doesn't buy it. I've also laid out my ideas on what analysts do and why in the responses. Having done this for a long time, these objections and questioning of my opinion based on the fact that I don't actually test products is nothing new.

At the end of the day, some folks think analysts add value to what they are doing and others don't. Personally, I don't much care which camp anyone falls into. I have no trouble sleeping at night because I know that I help folks make better decisions. And ultimately that is my acid test.