Schneier on Security
A blog covering security and security technology.
« FBI Speaks Sense on Cyberterrorism |
| Titan Rain »
December 13, 2005
Brian Snow on Security
Good paper (.pdf) by Brian Snow of the NSA on security and assurance.
Abstract: When will we be secure? Nobody knows for sure -- but it cannot happen before commercial security products and services possess not only enough functionality to satisfy customers’ stated needs, but also sufficient assurance of quality, reliability, safety, and appropriateness for use. Such assurances are lacking in most of today’s commercial security products and services. I discuss paths to better assurance in Operating Systems, Applications, and Hardware through better development environments, requirements definition, systems engineering, quality certification, and legal/regulatory constraints. I also give some examples.
Posted on December 13, 2005 at 2:15 PM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Great read thanks for the link to the article!
"[...] but it cannot happen before commercial security products and services possess [...]"
Personally, I would like to see less emphasis on security products and more emphasis on products with security controls built in. I realise I'm splitting hairs here, but as long as security professionals continue to refer to 'security products' and 'security systems' people outside the security profession will continue to see security as an optional component that can be added later.
"Personally, I would like to see less emphasis on security products and more emphasis on products with security controls built in. I realise I'm splitting hairs here...."
You're not; you're making a very important point. In general, the existence of a "security product" demonstrates an underlying security failure that the product has to fix.
"Great read thanks for the link to the article!"
Brian always has interesting things to say.
I think he's right, but I don't think he'll get what he wants before regulation and/or liabilities force companies to provide it.
I think that one of the largest hurdles, as Brian seems to point out, is that customers don't necessarily cry out for products, security or not, with greater assurance. They are satisfied to label their assets as 'protected' by some means. Even if they don't truly understand how the device/s works or utilize it to its full potential. Organizations seem to attach themselves to a 'we've got security software and/or devices somewhere on our network/hosts; so we're good!' motto.
Is anyone else bothered by how close this can come to requiring 'FBI approved' software on network connected machines (as was discussed the other day) with 'security' being the excuse to get the camel's nose in the tent.
Regarding the comment from SW, I agree that is the state we are currently in... especially in US Federal government procurement. See http://www.apexassurance.com/blog/ for some comments and analysis on this issue.
I accept Stacy's (Dec 14, 2005) distinction between security products and products with security controls built-in. My comments were intended to address both; I will be more clear on this point in the future. Thanks.
Responding to Bruce Schneier (Dec 14, 2005).
First, thanks for mentioning my paper on your site; I appreciate it!
I agree when Bruce says, "I don't think he'll get what he wants before regulation and/or liabilities force companies to provide it." But something akin to that IS in fact now happening.
I think the insurance industry is now moving to differential pricing of business disaster recovery insurance, dependent in part on the quality of the security sub-systems used in Corporate IT systems.
It may take another five to ten years to see results, but I do believe they are coming.
responding to jayh (Dec 14, 2005).
I was not "requiring 'FBI approved' software on network connected machines with 'security' being the excuse to get the camel's nose in the tent." Far from it.
I want to awaken the commercial security industry to the issue; I want them to stand up to it so there will be NO NEED for government "help".
I am teaching both information assurance and software engineering this semester. There is a huge synergy there because, as I have told my IA students during the computer security unit of the course just how important software quality is in preventing security holes. And in software engineering I tell them how important processes are in achieving software quality. The relationship becomes painfully obvious.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.