[SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)
Gunnar Peterson
gunnar at arctecgroup.net
Fri Mar 20 23:06:01 EST 2009
>
> Two areas that don't seem to immediately lend themselves to design/
> spec
> level solutions are (1) transitive trust and (2) interaction errors
> between multiple components that are all working correctly. I'd
> love to
> hear from people who've had to solve these problems in the real world.
> Based on what I see in CVE, it seems that the answer for item 2 is
> usually
> for one component to choose to conform to another's expectations,
> and that
> conforming component isn't always the one that "should" be changed.
Those are both definitely apparent at design time. Paraphrasing Bob
Blakley, applications are built on composition, but most security
protocols are point to point and don't compose. So anyone who bothers
to look at the end to end application will see massive gaps in the
security protocols.
The "fix" is likely a decision between a sts/federation/proxy pattern,
and a way to link policy to mechanism. WS-SecurityPolicy provides one
such way to do specify the policy side.
-gunnar
More information about the SC-L
mailing list