Re: Installation and setup of secure applications

[Burak DAYIOGLU <dayioglu () metu edu tr>]

Kenneth R. van Wyk wrote:
All the talk last week here and elsewhere about Personal Firewall Day got me 
thinking about one of my personal soap boxes -- application installation and 
setup.
After years of seeing countless examples of inadequately installed and 
configured applications, I became convinced that we don't pay enough 
attention to this phase of developing secure software, by and large anyway.  
Plus, I am fully aware that many people don't even agree that this is part of 
software development per se.


Hi Kenneth,
Good point. I believe the problematic issue of correctly configuring and 
operating systems is not much a technical one. ;)


I don't know who on the list are aware of HCISec but it is a relatively 
new area of research that attempts to answer the question "how can we 
improve security through the application of human-computer interaction 
(HCI) principles and concepts to the domain of information security?".


The discussion is fundamental and research evidence reveals that 
designing security in systems in a way that


   (i) they are designed in a user-centered way
   (ii) have implicit security actions that are triggered with
   application actions and
  (iii) built upon well-known and accepted security patterns

is a desirable and reaches "better" results.

I suggest anyone involved in wholistic security issues to have a peek at 
the papers from the recent HCISec Workshop held as part of the ACM 
CHI2003 Conference. Workshop papers are available at 
http://www.andrewpatrick.ca/CHI2003/HCISEC/.


cheers.
--
Burak DAYIOGLU
Consultant, Pro-G Information Security and Research Ltd.
http://www.pro-g.com.tr                             [EMAIL PROTECTED]
Phone: +90 312 2101494                           Fax: +90 312 2101493