[WEB SECURITY] Re: [Full-disclosure] comparing information security to other industries

coderman coderman at gmail.com
Tue Dec 19 17:10:24 EST 2006

On 12/19/06, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
> On Tue, 19 Dec 2006 12:16:29 PST, KT said:
> > So we have been dealing with information security from last 20 years

i'd argue this is closer to 40 years than 20. [0]

> 20 years after the first automobile, we'd gotten as far as a Model A or T
> or so.

1885 [1] to 1965 [2] for decent auto security.  80 years?  add 10
years if you consider air bags the requisite threshold.

> (Incidentally, the fact that we still have a lot of security issues isn't
> actually a software problem, so much as an innate lack of tools to help
> humans understand *any* complex system, be it software, or the economy,
> or global climate, or....)

i argue that the vast majority of insecure computing problems are
indeed software problems, in the sense that proper software design and
development would fix them.  consider the automobile theme, where a
wheel, some pedals, and a few signalling levers allow you to operate a
vehicle with more computers and technology than space faring vehicles
from a mere 30 years past.  these machines are usable and secure,
despite their mind boggling technological complexity brought about
over a hundred years of evolutionary and radical improvement.

let's side step the economics and inertia of existing software / IT
practice and look at a future utopia for sake of argument:

A: usability is requirement #1 for security [3].  is configuring that
IPsec IKE/ISAKMP key distribution and re-key policy iPod (tm) simple?
how about generating PKI infrastructure for those OpenVPN connections?
 "security" products are so ridiculously complicated it's a wonder
anyone is able to use them.  for a good laugh, write down the steps
required to configure full disk encryption and a strong VPN from your
laptop to a server. LOL, ROFFLE, etc.

B: capability based computing is the norm, as identity based access
control is fundamentally flawed [4].  if you've only heard of
capability based security in passing, consider this an underscore of
the systemic and pervasive nature of our willful ignorance of good

C: consumers can recognize and compare the merits of security built
into systems they use, with producers willing and able to emphasize
security considerations during design, implementation, testing, and
support/integration phases of production and life cycle [5].

99.5% of existing problems disappear in such a world, leaving mostly
insider fraud to be addressed via process and policy.  we can get
there, but it ain't gonna happen soon...

0. "Capability-Based Computer Systems - Chap. 3 Early Capability Architectures"
    [ref: Dennis and Van Horn @ MIT using Capabilities to describe
secure composition in 1966]

1. "History of the Automobile"

2. "Unsafe at Any Speed"

3. "Secure Interaction Design"

4. "Capability Security Model"

5. "Build Security In"

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list