Excellent idea Gunnar! This is the kind of conceptual comparison that we don't
do enough of.
gem
From: Gunnar Peterson gun...@arctecgroup.netmailto:gun...@arctecgroup.net
Reply-To: Gunnar Peterson
gun...@arctecgroup.netmailto:gun...@arctecgroup.net
Date: Thursday, January 17, 2013 6:39 PM
To: gem g...@cigital.commailto:g...@cigital.com, Secure Code Mailing List
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Cc: epar...@techtarget.commailto:epar...@techtarget.com
epar...@techtarget.commailto:epar...@techtarget.com
Subject: RE: [SC-L] SearchSecurity: 13 Design Principles for 2013
Good piece. Saltzer and Schroeder's work is the deus ex machina in so much of
security. On the software side, esp in the case of Twitter, Facebook et al, the
equivalent is David Gelernter.
I did a mashup of these titans and I must say I think there is a fair(and
increasing) amount of impedance mismatch. Meaning many of S S's fundamental
assumptions do not apply in Gelernter's universe. For example how do I
completely mediate in a federation? Answer: you dont you have partial control
at best.
http://1raindrop.typepad.com/1_raindrop/2008/06/mashup-of-the-titans.html
Gunnar
Sent from my mobile
Original message
From: Gary McGraw g...@cigital.commailto:g...@cigital.com
Date:
To: Secure Code Mailing List
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Cc: Parizo, Eric epar...@techtarget.commailto:epar...@techtarget.com
Subject: [SC-L] SearchSecurity: 13 Design Principles for 2013
hi sc-l,
Merry new year to you all.
About the hardest part of software security is design. Everything about it is
hard: secure design, threat modeling, architectural risk analysis, etc. Even
convincing slow pokes that there is a difference between bugs and flaws is hard
(you should see the reviews my talk got from the expert RSA program
committee this year…hah!). For many years I have struggled with how to teach
people ARA and security design. The only technique that really works is
apprenticeship. Short of that, a deep understanding of security design
principles can help.
in 1975 Salzer and Schroeder wrote one of the most important papers in computer
security. In it, they introduced the concept of security principles. I riffed
on that this month in my SearchSecurity column. Please read it and pass it on.
Give a copy to all of the software architects you know.
http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.orgmailto:SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___
