|
industry progress and attitudes
Progress Report by Gene Spafford
For instance, imagine buying a single model of commercial speedboat and assuming it will be adequate for bass fishing, auto ferries, arctic icebreakers, Coast Guard rescues, oil tankers and deep water naval interdiction--so long as we add on a few items. Fundamentally, we understand that this is untenable and that we need to architect a vessel from the keel upward to tailor it for specific needs, and to harden it against specific dangers.
Why can't we see the same is true for computing? Why do we not understand that the commercial platform used at home to store Aunt Bee's pie recipes is not equally suitable for weapons control, health care records management, real-time utility management, storage of financial transactions and more? Supporting everything in one system results in unwieldy software on incredibly complex hardware chips, all requiring dozens of external packages to rein in problems introduced by the complexity.
The situation is unlikely to improve until we start valuing good security and quality over the lifetime of our IT products. We need to design systems to enforce behavior within each specific configuration, not continually tinker with general systems to stop each new threat. Firewalls, IDS, antivirus, DLP and even virtual machines are used because the underlying systems aren't trustworthy.
A better approach would be to determine exactly what we want supported in each environment, build systems to those more minimal specifications, and then ensure they are not used for anything beyond those limitations. To use some current terminology, that's whitelisting as opposed to blacklisting. It's also craftsmanship--using the right tools for each task at hand, as opposed to treating all problems the same because all we have ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
is a hammer.
As an academic, I see how knowledge of the past combined with future research can help us have more secure systems. The challenge continues to be convincing enough IT professionals that "cheap" is not the same as "best," and that we can afford to do better. After all, we no longer need to pay $20 per transistor.
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] btw...
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
intolerable tolerance
Biggest security worry: "Once we begin to tolerate or accept bad behavior, we've lost the battle against it."
polar opposites
Has visited Tasmania and the Isle of Jersey, as well as Tromso, Norway, which is north of the Arctic Circle.
If you weren't a security professional, you'd be a...
Teacher/professor.
"That's actually what I consider myself to be first and foremost now, with inventor second."
favorite musician/band
The list is eclectic:
Tangerine Dream, Everything But the Girl, Genesis and Phil Collins, Joe Satriani, Pat Metheny.
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
|
 |
|
