[SC-L] "Bumper sticker" definition of secure software

Paolo Perego thesp0nge at gmail.com
Tue Jul 18 10:32:12 EDT 2006 

Hi list, I'll introduce myself with a claim:
"Software is like Titanic, pleople claim it was unsinkable. Securing is
providing it power steering"

thesp0nge

On 7/18/06, Gadi Evron <ge at linuxbox.org> wrote:
>
> On Mon, 17 Jul 2006, Rajeev Gopalakrishna wrote:
> > Reliability is concerned only with accidental failures while security
> has
> > to consider malicious attacks as well. The difference is in the intent
> of
> > the software user: benign or malicious.
> >
> > And for a bumper sticker, here is one for the pessimists:
> >
> > "Secure Software is a Myth"
> >
> > and another version for the skeptics:
> >
> > "Is Secure Software a Myth?"
> >
> > :)
>
> Again, this would speak only to a very small percentage of the
> population. You me, maybe 10K people around the world if we are generous.
>
> >
> > -rajeev
> >
> >
> > On Mon, 17 Jul 2006, Peter G. Neumann wrote:
> >
> > > You suggest:
> > >
> > >   Secure software is software that remains dependable despite efforts
> to
> > >   compromise its dependability.
> > >
> > > You need a bigger-picture view that encompasses trustworthiness
> > > and assurance.
> > >
> > > "Dependable systems are systems that remain dependable despite
> > > would-be compromises to their dependability."
> > >
> > > "Trustworthy systems are systems that are worthy of being trusted
> > > to satisfy their requirements (for security, reliability,
> survivability,
> > > safety, or whatever)."
> > >
> > > Security is generally too narrow by itself, because a system that is
> > > not reliable is not likely to be secure, especially when in
> > > unreliability mode!
> > >
> > > The principle of Keep It Simple is inherently unworkable with respect
> to
> > > security.  Security is inherently complex.  Trustworthiness is broader
> and
> > > even more complex.  But if you don't think about trustworthiness more
> > > broadly, what you get is not likely to be very secure.
> > >
> > > Forget the bumper sticker approach.
> > >
> > > _______________________________________________
> > > Secure Coding mailing list (SC-L)
> > > SC-L at securecoding.org
> > > List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> > > List charter available at -
> http://www.securecoding.org/list/charter.php
> > >
> > _______________________________________________
> > Secure Coding mailing list (SC-L)
> > SC-L at securecoding.org
> > List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> > List charter available at - http://www.securecoding.org/list/charter.php
> >
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
>



-- 
$>cd /pub
$>more beer

AngeL core developer: http://www.sikurezza.org/angel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20060718/9e775e27/attachment-0001.html

More information about the SC-L mailing list