Secure Coding mailing list archives
"Bumper sticker" definition of secure software
From: crispin at novell.com (Crispin Cowan)
Date: Sun, 23 Jul 2006 10:18:43 -0700
mikeiscool wrote:
On 7/21/06, Florian Weimer <fw at deneb.enyo.de> wrote:Secure software costs more, requires more user training, and fails in hard-to-understand patterns. If you really need it, you lose.Really secure software should require _less_ user training, not more.
That depends. If "really secure" means "free of defects", then yes, it should be easier to use, because it will have fewer surprising quirks. However, since there is so little defect-free software, most often a "really secure" system is one with lots of belt-and-suspenders access controls and authentication checks all over the place. "Security" is the business of saying "no" to the bad guys, so it necessarily involves saying "no" if you don't have all your ducks in a row. As a result, really secure systems tend to require lots of user training and are a hassle to use because they require permission all the time. Imagine if every door in your house was spring loaded and closed itself after you went through. And locked itself. And you had to use a key to open it each time. And each door had a different key. That would be really secure, but it would also not be very convenient. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unaticipated problem Hacker: one who is adroit at pounding round pegs into square holes
Current thread:
- "Bumper sticker" definition of secure software Gary McGraw (Jul 16)
- <Possible follow-ups>
- "Bumper sticker" definition of secure software Holger.Peine at iese.fraunhofer.de (Jul 16)
- "Bumper sticker" definition of secure software Wall, Kevin (Jul 17)
- "Bumper sticker" definition of secure software Jeremy Epstein (Jul 17)
- "Bumper sticker" definition of secure software Shea, Brian A (Jul 17)
- "Bumper sticker" definition of secure software Florian Weimer (Jul 20)
- "Bumper sticker" definition of secure software mikeiscool (Jul 20)
- "Bumper sticker" definition of secure software Crispin Cowan (Jul 23)
- "Bumper sticker" definition of secure software mikeiscool (Jul 23)
- "Bumper sticker" definition of secure software Andrew van der Stock (Jul 24)
- "Bumper sticker" definition of secure software Shea, Brian A (Jul 17)
- "Bumper sticker" definition of secure software Gadi Evron (Jul 17)
- "Bumper sticker" definition of secure software mikeiscool (Jul 17)
- "Bumper sticker" definition of secure software Gadi Evron (Jul 17)
- "Bumper sticker" definition of secure software Rajeev Gopalakrishna (Jul 17)
- "Bumper sticker" definition of secure software Gadi Evron (Jul 18)