Security Basics mailing list archives

RE: Security vs. Simplicity

From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 19 May 2009 16:01:58 -0700

  To paraphrase the punchline of one of my favourite jokes:

  If it doesn't have to meet requirements, we can make it as
simple -- and as secure! -- as you like.

David

-----Original Message-----
From: avi shvartz [mailto:yram () netvision net il] 
Sent: Tuesday, May 19, 2009 1:59 PM
To: Securityfocus
Subject: RE: Security vs. Simplicity

David,

Please let me put it on the "razor's edge".

I that scenario the two "inflamed opponents" tried their best 
to  be "Engineers" as much as possible.
No success, they are in front of us, it's decision time.

What will be our answer? 
(I know: not enough information... it depends... I want to 
ask a few more
  questions... - nope.(

Avi

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Tuesday, May 19, 2009 10:11 PM
To: 'Stephen Mullins'; 'avi shvartz'
Cc: 'Securityfocus'
Subject: RE: Security vs. Simplicity

From: Stephen Mullins [mailto:steve.mullins.work () gmail com]

I agree that the goals of network ops and network security

seemingly

contradict one another.  Network Operations calls for simplicity, 
redundancy, and ease of troubleshooting.
Network Security calls for defense in depth and secure

design over all

else.


  CIA: Confidentiality, Integrity, Availability.  Redundancy 
is usually an Availability strategy, and Simplicity aids with 
Integrity.
The "contradiction" is much more a matter of "seeming" than of fact.

  A good solution is indeed as simple as possible BUT NO SIMPLER.
And as insecure as necessary BUT NO LESS.  Establishing where 
those limits are (they should be derived from the other identified
requirements) and implementing to meet them is Engineering.

David Gillett



--------------------------------------------------------------
----------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp 
in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course 
materials and an expert instructor means you pass the exam. 
Gain a laser like insight into what is covered on the exam, 
with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
--------------------------------------------------------------
----------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Security vs. Simplicity avi shvartz (May 19)
- Re: Security vs. Simplicity Robin Wood (May 19)
  - RE: Security vs. Simplicity Craig S. Wright (May 22)
- Re: Security vs. Simplicity Stephen Mullins (May 19)
  - RE: Security vs. Simplicity David Gillett (May 19)
    - RE: Security vs. Simplicity avi shvartz (May 19)
    - RE: Security vs. Simplicity David Gillett (May 20)
- Re: Security vs. Simplicity Ansgar Wiechers (May 19)
- Re: Security vs. Simplicity Aarón Mizrachi (May 20)
- Re: Security vs. Simplicity Paul Halliday (May 20)
- Re: Security vs. Simplicity Meenal Mukadam (May 21)
- Re: Security vs. Simplicity Daniel Miessler (May 22)
- <Possible follow-ups>
- Re: Security vs. Simplicity aaa (May 19)
  - RE: Security vs. Simplicity Craig S. Wright (May 22)
- RE: Security vs. Simplicity Stefan Marksteiner (May 20)
- RE: Security vs. Simplicity Marksteiner, Stefan (May 20)
- Re: Security vs. Simplicity krymson (May 20)

(Thread continues...)