Secure Coding mailing list archives
BSIMM: Confessions of a Software SecurityAlchemist(informIT)
From: gunnar at arctecgroup.net (Gunnar Peterson)
Date: Fri, 20 Mar 2009 23:06:01 -0500
Two areas that don't seem to immediately lend themselves to design/ spec level solutions are (1) transitive trust and (2) interaction errors between multiple components that are all working correctly. I'd love to hear from people who've had to solve these problems in the real world. Based on what I see in CVE, it seems that the answer for item 2 is usually for one component to choose to conform to another's expectations, and that conforming component isn't always the one that "should" be changed.
Those are both definitely apparent at design time. Paraphrasing Bob Blakley, applications are built on composition, but most security protocols are point to point and don't compose. So anyone who bothers to look at the end to end application will see massive gaps in the security protocols. The "fix" is likely a decision between a sts/federation/proxy pattern, and a way to link policy to mechanism. WS-SecurityPolicy provides one such way to do specify the policy side. -gunnar
Current thread:
- BSIMM: Confessions of a Software Security Alchemist (informIT), (continued)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Benjamin Tomhave (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) kowsik (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Goertzel, Karen [USA] (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Benjamin Tomhave (Mar 20)
- Message not available
- BSIMM: Confessions of a Software Security Alchemist(informIT) Benjamin Tomhave (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Pravir Chandra (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Steven M. Christey (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gunnar Peterson (Mar 20)
- Supply Chain Resiliency Project Assistance Mason Brown (Mar 22)
- Supply Chain Resiliency Project Assistance Gary McGraw (Mar 22)
- Supply Chain Resiliency Project Assistance Gadi Evron (Mar 22)
- Supply Chain Resiliency Project Assistance Wisseman, Stan [USA] (Mar 22)
- Supply Chain Resiliency Project Assistance Sammy Migues (Mar 22)
- Supply Chain Resiliency Project Assistance Dave Wichers (Mar 23)
- Supply Chain Resiliency Project Assistance Mason Brown (Mar 23)
- Supply Chain Resiliency Project Assistance Rohit Lists (Mar 23)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Florian Weimer (Mar 21)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 20)