Secure Coding mailing list archives
"Bumper sticker" definition of secure software
From: dana at vulscan.com (Dana Epp)
Date: Mon, 24 Jul 2006 09:47:19 -0700
But secure software is not a technology problem, it's a business one. Focused on people. If smartcards were so great, why isn't every single computer in the world equipped with a reader? There will always be technology safeguards we can put in place to mitigate particular problems. But technology is not a panacea here. There will always be trade-offs that will trump secure design and deployment of safeguards. It's not about putting ABSOLUTE security in... It's about putting just enough security in to mitigate risks to acceptable levels to the business scenario at hand, and at a cost that is justifiable. Smartcard readers aren't deployed everywhere as they simply are too costly to deploy, against particular PERCEIVED threats that may or not be part of an application's threat profile. I agree that we can significantly lessen the technology integration problem with computers. We are, after all, supposed to be competent developers that can leverage the IT infrastructure to our bidding. The problem is when we keep our head in the technology bubble without thinking about the business impacts and costs, wasting resources in the wrong areas. It is no different than "network security professionals" that deploy $30,000 firewalls to protect digital assets worth less than the computer they are on. (I once saw a huge Checkpoint firewall protecting an MP3 server. Talk about waste.) Those guys should be shot for ever making that recommendation. As should secure software engineers who think they can solve all problems with technology without considering all risks and impacts to the business. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of mikeiscool Sent: Sunday, July 23, 2006 3:42 PM To: Crispin Cowan Cc: Secure Coding Mailing List Subject: Re: [SC-L] "Bumper sticker" definition of secure software
As a result, really secure systems tend to require lots of user training and are a hassle to use because they require permission all
the time. No I disagree still. Consider a smart card. Far easier to use then the silly bank logins that are available these days. Far easier then even bothering to check if the address bar is yellow, due to FF, or some other useless addon. You just plug it in, and away you go, pretty much. And requiring user permission does not make a system harder to use (per se). It can be implemented well, and implemented badly.
Imagine if every door in your house was spring loaded and closed itself after you went through. And locked itself. And you had to use a
key to open it each time. And each door had a different key. That would be really secure, but it would also not be very convenient.
We're talking computers here. Technology lets you automate things.
Crispin
-- mic _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Current thread:
- "Bumper sticker" definition of secure software, (continued)
- "Bumper sticker" definition of secure software Gadi Evron (Jul 17)
- "Bumper sticker" definition of secure software mikeiscool (Jul 17)
- "Bumper sticker" definition of secure software mark at markgraff.com (Jul 17)
- "Bumper sticker" definition of secure software Peter G. Neumann (Jul 17)
- "Bumper sticker" definition of secure software Gadi Evron (Jul 17)
- "Bumper sticker" definition of secure software Rajeev Gopalakrishna (Jul 17)
- "Bumper sticker" definition of secure software Gadi Evron (Jul 18)
- "Bumper sticker" definition of secure software Paolo Perego (Jul 18)
- "Bumper sticker" definition of secure software leichter_jerrold at emc.com (Jul 17)
- "Bumper sticker" definition of secure software Peter G. Neumann (Jul 17)
- "Bumper sticker" definition of secure software Dana Epp (Jul 24)
- "Bumper sticker" definition of secure software mikeiscool (Jul 24)