Full Disclosure mailing list archives
Re: [WEB SECURITY] Re: comparing information security to other industries
From: coderman <coderman () gmail com>
Date: Wed, 27 Dec 2006 04:15:50 -0800
On 12/27/06, Michael Zimmermann <zim () vegaa de> wrote:
... I think, one possible way to improve the situation is to follow the money to a lesser degree. In our own job as well as in our role as a customer. Ready for that?
if the answer is going to be YES, then the consumer (you) needs a simple way to visibly and intuitively compare the relative security merits of similar integrated systems / domains. [0] some of the aspects / characteristics of interest may include: - usability! - defense in depth to guard against failures of privacy, authentication, or availability [1] - accountability and oversight of critical operations / privileges - transparency to expert review and other methods of assuring integrity (this is one aspect of security where open source software may provide stronger reputation) security has to begin at development and the tools for measuring security aspects at this level and out into protocols and hardware platform are few and rarely used. (look at the MOKB for a recent reminder...) [2] 0. application and/or operating system security is meaningless by itself given the way the security flaws of either affect each other from a user view or effective risk comparison. 1. this is one example where virtualization is a useful way to constrain the attack surface presented to attackers. chroot and other resource access control methods can be viewed as a subset of virtualization like isolation between security domains useful for strong defense in depth along with existing best practices for development and host integrity. 2. "Month of Kernel Bugs" http://projects.info-pull.com/mokb/ [fuzz testing, automated regression and load/stress tests, defensive coding techniques and other measures that address almost all of the vulnerabilities on this list should be a standard part of any software development process associated with components of a secure computing base under the "methods of assuring integrity" aspect of improving security (the secure computing base including anything handling cryptographic keys or privileged operating system functions).] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- comparing information security to other industries KT (Dec 19)
- Re: comparing information security to other industries Valdis . Kletnieks (Dec 19)
- Re: comparing information security to other industries coderman (Dec 19)
- Re: [WEB SECURITY] Re: comparing information security to other industries Andre Gironda (Dec 25)
- Re: [WEB SECURITY] Re: comparing information security to other industries coderman (Dec 26)
- Re: [WEB SECURITY] Re: comparing information security to other industries Krainium (Dec 26)
- Re: [WEB SECURITY] Re: comparing information security to other industries Michael Zimmermann (Dec 27)
- Re: [WEB SECURITY] Re: comparing information security to other industries coderman (Dec 27)
- Re: comparing information security to other industries coderman (Dec 19)
- Re: comparing information security to other industries Valdis . Kletnieks (Dec 19)
- Re: [WEB SECURITY] Re: comparing information security to other industries Dinis Cruz (Dec 22)
- Re: [WEB SECURITY] comparing information security to other industries Nick FitzGerald (Dec 21)
- Re: comparing information security to other industries Brian Eaton (Dec 24)
- Re: comparing information security to other industries Michael Zimmermann (Dec 24)