Secure Coding mailing list archives
Re: Computerworld: Opinion - Making apps secure is hard work
From: Gunnar Peterson <gunnar () arctecgroup net>
Date: Thu, 12 Aug 2010 08:46:52 -0500
Hi Ken, You raise some important points. Most infosec is approached as a set of controls, but access control only takes you so far in the face of malice. I like this quote from G.K. Chesterton "The real trouble with this world of ours is not that it is an unreasonable world, nor even that it is a reasonable one. The commonest kind of trouble is that it is nearly reasonable, but not quite. Life is not an illogicality; yet it is a trap for logicians. It looks just a little more mathematical and regular than it is; its exactitude is obvious, but its inexactitude is hidden; its wildness lies in wait." Notice the distinction, the first part gets to why access control matters - we can use crypto and such to impose our policies on the logic that we know and understand, but it does not help us all with inexactitude. There's no margin of safety, the control either works or its doesn't. -gunnar On Aug 12, 2010, at 7:17 AM, Kenneth Van Wyk wrote:
I figured this was relevant here, so here's a link to my August column for Computerworld. Excerpt: 'What's that you say? All the app vetting you've been doing to date consists only of verifying that the apps play by the rules? That is, that they use only published APIs and such? Well, then, you really have your work cut out for you, because that's not all that your customers expect.' To read the complete article see: http://www.computerworld.com/s/article/9180579/Making_apps_safe_is_hard_work?taxonomyId=17 Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Computerworld: Opinion - Making apps secure is hard work Kenneth Van Wyk (Aug 12)
- Re: Computerworld: Opinion - Making apps secure is hard work Gunnar Peterson (Aug 12)