Secure Coding mailing list archives
Re: SearchSecurity: 13 Design Principles for 2013
From: Gary McGraw <gem () cigital com>
Date: Thu, 17 Jan 2013 19:03:59 -0500
Excellent idea Gunnar! This is the kind of conceptual comparison that we don't do enough of. gem From: Gunnar Peterson <gunnar () arctecgroup net<mailto:gunnar () arctecgroup net>> Reply-To: Gunnar Peterson <gunnar () arctecgroup net<mailto:gunnar () arctecgroup net>> Date: Thursday, January 17, 2013 6:39 PM To: gem <gem () cigital com<mailto:gem () cigital com>>, Secure Code Mailing List <SC-L () securecoding org<mailto:SC-L () securecoding org>> Cc: "EParizo () techtarget com<mailto:EParizo () techtarget com>" <EParizo () techtarget com<mailto:EParizo () techtarget com>> Subject: RE: [SC-L] SearchSecurity: 13 Design Principles for 2013 Good piece. Saltzer and Schroeder's work is the deus ex machina in so much of security. On the software side, esp in the case of Twitter, Facebook et al, the equivalent is David Gelernter. I did a mashup of these titans and I must say I think there is a fair(and increasing) amount of impedance mismatch. Meaning many of S& S's fundamental assumptions do not apply in Gelernter's universe. For example how do I completely mediate in a federation? Answer: you dont you have partial control at best. http://1raindrop.typepad.com/1_raindrop/2008/06/mashup-of-the-titans.html Gunnar Sent from my mobile -------- Original message -------- From: Gary McGraw <gem () cigital com<mailto:gem () cigital com>> Date: To: Secure Code Mailing List <SC-L () securecoding org<mailto:SC-L () securecoding org>> Cc: "Parizo, Eric" <EParizo () techtarget com<mailto:EParizo () techtarget com>> Subject: [SC-L] SearchSecurity: 13 Design Principles for 2013 hi sc-l, Merry new year to you all. About the hardest part of software security is design. Everything about it is hard: secure design, threat modeling, architectural risk analysis, etc. Even convincing slow pokes that there is a difference between bugs and flaws is hard (you should see the "reviews" my talk got from the "expert" RSA program committee this year…hah!). For many years I have struggled with how to teach people ARA and security design. The only technique that really works is apprenticeship. Short of that, a deep understanding of security design principles can help. in 1975 Salzer and Schroeder wrote one of the most important papers in computer security. In it, they introduced the concept of security principles. I riffed on that this month in my SearchSecurity column. Please read it and pass it on. Give a copy to all of the software architects you know. http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org<mailto:SC-L () securecoding org> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- SearchSecurity: 13 Design Principles for 2013 Gary McGraw (Jan 17)
- <Possible follow-ups>
- Re: SearchSecurity: 13 Design Principles for 2013 Gunnar Peterson (Jan 17)
- Re: SearchSecurity: 13 Design Principles for 2013 Gary McGraw (Jan 17)