December 07, 2008

Security is a subset of Reliability

From the "articles I wish I'd written" department, Chandler points to an article by Daniels Geer & Conway on all the ways security is really a subset of reliability. Of course!

I think this is why the best engineers who've done great security things start from the top; from the customer, the product, the market. They know that in order to secure something, they had better know what the something is before even attempting to add a cryptosec layer over it.

Which is to say, security cannot be a separate discipline. It can be a separate theory, a bit like statics is a theory from civil engineering, or triage is a part of medicine. You might study it in University, but you don't get a job in it; every practitioner needs some basic security. If you are a specialist in security, your job is more or less to teach it to practitioners. The alternate is to ask the practitioners to teach you about the product, which doesn't seem sensible.

Posted by iang at December 7, 2008 07:12 PM | TrackBack
Comments

What should I say? ... that is how we always treated when doing business critical dataprocessing.

It is how we viewed it when we were doing ha/cmp (high availability) product ... some past posts
http://www.garlic.com/~lynn/subtopic.html#hacmp

and post referencing meeting on ha/cmp and database scaleup in jan '92
http://www.garlic.com/~lynn/95.html#13

two of the people in the above mentioned meeting left a year or so later to join a small client/server startup responsible for something called the "commerce server". We were called in as consults because the startup wanted to payment transactions on the server. Part of the effort was something called the payment gateway ... some past posts:
http://www.garlic.com/~lynn/subnetwork.html#gateway

and the effort is now frequently referred to as electronic commerce.

post regarding recent checkfree attack and reference to "Web Security hasn't moved since 1995"
http://www.garlic.com/~lynn/2008r.html#42

and related from today:

Kaspersky calls for a more secure internet
http://www.vnunet.com/vnunet/news/2232134/governments-banks-failing-web

from above:

Governments and banking institutions are still failing to pay enough attention to internet security, and allow too much responsibility to rest on the shoulders of consumers

... snip ...

Posted by: Lynn Wheeler at December 7, 2008 09:29 PM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.