Feature

Security 7 Award winners tackle important information security issues

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."

Download it now to read this article plus other related content.

 

industry progress and attitudes
Progress Report by Gene Spafford
 

For instance, imagine buying a single model of commercial speedboat and assuming it will be adequate for bass fishing, auto ferries, arctic icebreakers, Coast Guard rescues, oil tankers and deep water naval interdiction--so long as we add on a few items. Fundamentally, we understand that this is untenable and that we need to architect a vessel from the keel upward to tailor it for specific needs, and to harden it against specific dangers.

Why can't we see the same is true for computing? Why do we not understand that the commercial platform used at home to store Aunt Bee's pie recipes is not equally suitable for weapons control, health care records management, real-time utility management, storage of financial transactions and more? Supporting everything in one system results in unwieldy software on incredibly complex hardware chips, all requiring dozens of external packages to rein in problems introduced by the complexity.

The situation is unlikely to improve until we start valuing good security and quality over the lifetime of our IT products. We need to design systems to enforce behavior within each specific configuration, not continually tinker with

    Requires Free Membership to View

general systems to stop each new threat. Firewalls, IDS, antivirus, DLP and even virtual machines are used because the underlying systems aren't trustworthy.

A better approach would be to determine exactly what we want supported in each environment, build systems to those more minimal specifications, and then ensure they are not used for anything beyond those limitations. To use some current terminology, that's whitelisting as opposed to blacklisting. It's also craftsmanship--using the right tools for each task at hand, as opposed to treating all problems the same because all we have is a hammer.

As an academic, I see how knowledge of the past combined with future research can help us have more secure systems. The challenge continues to be convincing enough IT professionals that "cheap" is not the same as "best," and that we can afford to do better. After all, we no longer need to pay $20 per transistor.


btw...

intolerable tolerance
Biggest security worry: "Once we begin to tolerate or accept bad behavior, we've lost the battle against it."

polar opposites
Has visited Tasmania and the Isle of Jersey, as well as Tromso, Norway, which is north of the Arctic Circle.

If you weren't a security professional, you'd be a...
Teacher/professor.
"That's actually what I consider myself to be first and foremost now, with inventor second."


favorite musician/band
The list is eclectic:
Tangerine Dream, Everything But the Girl, Genesis and Phil Collins, Joe Satriani, Pat Metheny.

 

This was first published in October 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: