[SC-L] "Bumper sticker" definition of secure software
Rajeev Gopalakrishna
rgk at cerias.purdue.edu
Mon Jul 17 22:23:27 EDT 2006
Reliability is concerned only with accidental failures while security has
to consider malicious attacks as well. The difference is in the intent of
the software user: benign or malicious.
And for a bumper sticker, here is one for the pessimists:
"Secure Software is a Myth"
and another version for the skeptics:
"Is Secure Software a Myth?"
:)
-rajeev
On Mon, 17 Jul 2006, Peter G. Neumann wrote:
> You suggest:
>
> Secure software is software that remains dependable despite efforts to
> compromise its dependability.
>
> You need a bigger-picture view that encompasses trustworthiness
> and assurance.
>
> "Dependable systems are systems that remain dependable despite
> would-be compromises to their dependability."
>
> "Trustworthy systems are systems that are worthy of being trusted
> to satisfy their requirements (for security, reliability, survivability,
> safety, or whatever)."
>
> Security is generally too narrow by itself, because a system that is
> not reliable is not likely to be secure, especially when in
> unreliability mode!
>
> The principle of Keep It Simple is inherently unworkable with respect to
> security. Security is inherently complex. Trustworthiness is broader and
> even more complex. But if you don't think about trustworthiness more
> broadly, what you get is not likely to be very secure.
>
> Forget the bumper sticker approach.
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
>
More information about the SC-L
mailing list