Brian Snow on Security

Good paper (.pdf) by Brian Snow of the NSA on security and assurance.

Abstract: When will we be secure? Nobody knows for sure—but it cannot happen before commercial security products and services possess not only enough functionality to satisfy customers’ stated needs, but also sufficient assurance of quality, reliability, safety, and appropriateness for use. Such assurances are lacking in most of today’s commercial security products and services. I discuss paths to better assurance in Operating Systems, Applications, and Hardware through better development environments, requirements definition, systems engineering, quality certification, and legal/regulatory constraints. I also give some examples.

Tags: academic papers, certifications, computer security, hardware, laws, NSA, operating systems, security engineering

Posted on December 13, 2005 at 2:15 PM • 11 Comments

Comments

AG • December 13, 2005 5:15 PM

Great read thanks for the link to the article!

stacy • December 14, 2005 9:12 AM

“[…] but it cannot happen before commercial security products and services possess […]”

Personally, I would like to see less emphasis on security products and more emphasis on products with security controls built in. I realise I’m splitting hairs here, but as long as security professionals continue to refer to ‘security products’ and ‘security systems’ people outside the security profession will continue to see security as an optional component that can be added later.

Bruce Schneier • December 14, 2005 9:53 AM

“Personally, I would like to see less emphasis on security products and more emphasis on products with security controls built in. I realise I’m splitting hairs here….”

You’re not; you’re making a very important point. In general, the existence of a “security product” demonstrates an underlying security failure that the product has to fix.

Bruce Schneier • December 14, 2005 9:54 AM

“Great read thanks for the link to the article!”

Brian always has interesting things to say.

I think he’s right, but I don’t think he’ll get what he wants before regulation and/or liabilities force companies to provide it.

SW • December 14, 2005 10:09 AM

I think that one of the largest hurdles, as Brian seems to point out, is that customers don’t necessarily cry out for products, security or not, with greater assurance. They are satisfied to label their assets as ‘protected’ by some means. Even if they don’t truly understand how the device/s works or utilize it to its full potential. Organizations seem to attach themselves to a ‘we’ve got security software and/or devices somewhere on our network/hosts; so we’re good!’ motto.

jayh • December 14, 2005 1:50 PM

Is anyone else bothered by how close this can come to requiring ‘FBI approved’ software on network connected machines (as was discussed the other day) with ‘security’ being the excuse to get the camel’s nose in the tent.

Ray Potter • December 18, 2005 8:48 PM

Regarding the comment from SW, I agree that is the state we are currently in… especially in US Federal government procurement. See http://www.apexassurance.com/blog/ for some comments and analysis on this issue.

Brian Snow • September 3, 2006 9:35 PM

I accept Stacy’s (Dec 14, 2005) distinction between security products and products with security controls built-in. My comments were intended to address both; I will be more clear on this point in the future. Thanks.

Brian Snow • September 3, 2006 9:42 PM

Responding to Bruce Schneier (Dec 14, 2005).

First, thanks for mentioning my paper on your site; I appreciate it!

I agree when Bruce says, “I don’t think he’ll get what he wants before regulation and/or liabilities force companies to provide it.” But something akin to that IS in fact now happening.

I think the insurance industry is now moving to differential pricing of business disaster recovery insurance, dependent in part on the quality of the security sub-systems used in Corporate IT systems.

It may take another five to ten years to see results, but I do believe they are coming.

Brian Snow • September 3, 2006 9:48 PM

responding to jayh (Dec 14, 2005).

I was not “requiring ‘FBI approved’ software on network connected machines with ‘security’ being the excuse to get the camel’s nose in the tent.” Far from it.

I want to awaken the commercial security industry to the issue; I want them to stand up to it so there will be NO NEED for government “help”.

College Boy • October 25, 2008 9:35 PM

I am teaching both information assurance and software engineering this semester. There is a huge synergy there because, as I have told my IA students during the computer security unit of the course just how important software quality is in preventing security holes. And in software engineering I tell them how important processes are in achieving software quality. The relationship becomes painfully obvious.

Brian Snow on Security

Comments

Leave a comment Cancel reply