Comments: When to bolt on the security afterwards...

A thought that was lingering: Maybe it is simply a case of "premature optimisation is the root of all evil?"

Posted by Iang at May 21, 2007 09:58 AM

I was thinking a more modern software engineering mantra is something like "premature design is evil/bad/impratical" (cf. XP, Agile, etcetera).

Is "it is impractical to design the security in up-front" different from, say, "it is impractical to design software up-front"?

Posted by fluortanten at May 21, 2007 10:27 AM

Ah, games with words :)

It all depends on what "it" is. If "it" is software, then one is generally advised to design it up-front, although as you suggest there is a case for design-by-discovery.

Primarily, we design according to requirements, and if we have the requirements nailed down, then the question is whether we also include the security in that design, as well as the 3-way-tilt and vibrating leather seats, the dominos hanging from the rear-vision mirror and the extra fat tailpipes. The requirements will tell us.

Once we have assumed security as part of or all of the mission, then security is part of the "it". So design it up front.

Posted by Iang at May 21, 2007 11:01 AM


> Is it that simple?

I think there are several reasons that will lead to security integrated into the design.

One of the questions is, whether it is a new application (with a new market), a new innovation, or not. New applications and new markets are likely better served with a prototype lacking much security, established markets will likely need more security. E.g. a Hypertext viewer 20 years ago, didn´t and couldn´t care much about security. For a modern browser nowadays it´s essential to have security in-built, and even then it´s a tough job.

I am not sure about the other questions yet, but I believe there are a few more.

Best regards,
Philipp Gühring

Posted by Philipp at May 22, 2007 10:04 AM


> Is it that simple?

I found another question: Standardisation.

If you create a Standard, you shouldn´t retro-fit security into it. (See WLAN/WEP/WPA)

Best regards,
Philipp GÜhring

Posted by Philipp at May 22, 2007 10:05 AM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x55f05e714c40) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.