Full Disclosure mailing list archives
Re: [WEB SECURITY] Re: comparing information security to other industries
From: coderman <coderman () gmail com>
Date: Wed, 27 Dec 2006 04:15:50 -0800
On 12/27/06, Michael Zimmermann <zim () vegaa de> wrote:
... I think, one possible way to improve the situation is to follow the money to a lesser degree. In our own job as well as in our role as a customer. Ready for that?
if the answer is going to be YES, then the consumer (you) needs a
simple way to visibly and intuitively compare the relative security
merits of similar integrated systems / domains. [0]
some of the aspects / characteristics of interest may include:
- usability!
- defense in depth to guard against failures of privacy,
authentication, or availability [1]
- accountability and oversight of critical operations / privileges
- transparency to expert review and other methods of assuring
integrity (this is one aspect of security where open source software
may provide stronger reputation)
security has to begin at development and the tools for measuring
security aspects at this level and out into protocols and hardware
platform are few and rarely used. (look at the MOKB for a recent
reminder...) [2]
0. application and/or operating system security is meaningless by
itself given the way the security flaws of either affect each other
from a user view or effective risk comparison.
1. this is one example where virtualization is a useful way to
constrain the attack surface presented to attackers. chroot and other
resource access control methods can be viewed as a subset of
virtualization like isolation between security domains useful for
strong defense in depth along with existing best practices for
development and host integrity.
2. "Month of Kernel Bugs"
http://projects.info-pull.com/mokb/
[fuzz testing, automated regression and load/stress tests,
defensive coding techniques and other measures that address almost all
of the vulnerabilities on this list should be a standard part of any
software development process associated with components of a secure
computing base under the "methods of assuring integrity" aspect of
improving security (the secure computing base including anything
handling cryptographic keys or privileged operating system
functions).]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- comparing information security to other industries KT (Dec 19)
- Re: comparing information security to other industries Valdis . Kletnieks (Dec 19)
- Re: comparing information security to other industries coderman (Dec 19)
- Re: [WEB SECURITY] Re: comparing information security to other industries Andre Gironda (Dec 25)
- Re: [WEB SECURITY] Re: comparing information security to other industries coderman (Dec 26)
- Re: [WEB SECURITY] Re: comparing information security to other industries Krainium (Dec 26)
- Re: [WEB SECURITY] Re: comparing information security to other industries Michael Zimmermann (Dec 27)
- Re: [WEB SECURITY] Re: comparing information security to other industries coderman (Dec 27)
- Re: comparing information security to other industries coderman (Dec 19)
- Re: comparing information security to other industries Valdis . Kletnieks (Dec 19)
- Re: [WEB SECURITY] Re: comparing information security to other industries Dinis Cruz (Dec 22)
- Re: [WEB SECURITY] comparing information security to other industries Nick FitzGerald (Dec 21)
- Re: comparing information security to other industries Brian Eaton (Dec 24)
- Re: comparing information security to other industries Michael Zimmermann (Dec 24)