Not-Separateness: Sparklines Web Service

Edward Tufte's recent work has included a focus sparklines. Sparklines are graphics that are embedded inline with text, cf. . This way the graphical information becomes a part of the text rather than separated out to its own chart, table, page, etc. The sparklines concept echoes Christopher Alexander's elements of style for architecture articulated in Nature of Order around the principle of not-separateness in architecture:

Not-Separateness
  Designs should be connected and complementary, not egocentric and isolated.

This article discusses a way of bringing all this non-separate thinking about sparklines into a dynamic web service!

Security and Trust: Things That Perk Up Your Ears

In a software design or requirements session, I have long maintained that using the word "security" does more harm than good. Everyone has a different intrepretation and often conflicting version of its definition. Instead, during a design session I will usually interject and try to bring the conversation towards a more precise definition of what the designers mean by "security". Does it mean constraining access at some point? Encrypting data? etc., etc. Precise definitions are a necessary condition for a secure system, and provide the specificity that developers can build software from.

Another reason that additional specificity in defining "security" is important is that many things that get labelled "security" conflict with another. For example, privacy and security are typically on a collision course at various points in systems design and encryption may help to constrain access while "blinding" an IDS or other tool. Precise definition of the problems, requirements, and design options allows for security architectural tradeoff analysis.

Another word that piques my interest in design discussions is "trust". When the word is bandied around as "my server trusts this other server" (usually as solving the previously defined "security" problem), it is helpful to be very specific about what this means and the implications. Because process a is "trusted" does this mean ftp and telnet are copacetic? How is the "trust" guaranteed? Instead of blindly ascribing boolean "trust", the designers should precisely define what mechanisms are providing what protection, detection and response that allow the system to meet its requirements for confidentiality, integrity, and availability. Security-focused Use Case modeling can describe the necessary pre-conditions that are required and the relationships between system elements. Again specificity pays off, using vague terms like "security" and "trust" to describe security mechanisms means that developers will create their own definitions which may or may not meet the overall system goals. 

Information Security Considerations for Use Case Modeling

New article is posted detailing specific ways for security to collaborate during the software development lifecycle: "Top Ten Information Security Considerations for Use Case Modeling". The article looks at security aspects and implications in the Use Case model including: pre and post conditions, relationships, stakeholders, and more. The continuing theme in focusing on software development is for security team personnel to first focus on and leverage for security purpposes that which already exists in the software development process. The Use Case model provides a rich set of elements that Infosec can use to help developers build more secure software.

Interoperable Defense In Depth Layers or Trust is for Suckers

How do you achieve security across the classic defense in depth layers (Physical, Network, Host, Application, and Data)? Historically, Infosec has frequently focused on security _inside_ these individual layers and relied on "trust" for integration across layers, i.e. my program is trusted since there is a firewall and an acl on the directory and files it executes. Is this good enough? Leaving aside all of the manageability issues of supporting five distinct security model, policies, and repositories, how do you build a coherent security ruleset across these layers, and how do you achieve interoperability?

In specific terms, what is the best way to propagate, deal with, and understand claims made about subject that cross or span these Defense in depth Layers? If we assume that each layer has one or more security models associated with it then, we need a STS at each layer to inspect claims, exchange, validate, and issue layer-specific tokens and policies. These STSes would affect a vertical security model instead of solely the horizontal or execution runtime view where security is typically focused.

The statement trust is for suckers sums up the situation that we see all too frequently in a vertical view of the system's defense in depth layers. What this "STS in Depth" approach could mean is that we could move away from a binary trusted vs untrusted view of the world and more towards stronger security tokens that are context-sensitive to the protocols and data formats that their native layer recognizes.

Holistic Security Viewpoint: Marcus Ranum Interview

Security Focus features an interview with Marcus Ranum, it includes typically bleak (though not inaccurate) assessment around the current state of Infosec. As usual, Marcus Ranum is not always bowing to consensus default views, but rather bringing up additional ways to think about security.

If a standard protocol is broken or insecure, what is the best solution? Maybe supporting only some features or adding a crypto layer?

If it's broken, adding crypto just makes it broken and hidden.

If a standard protocol is broken, the best solution is to deprecate the standard and use something else. Just fix it and move on. It's not like standards are some kind of holy writ; nobody is going to be punished for ignoring bad standards, right? Remember the ISO networking protocols? Too late, too complicated, and everyone said "no thanks." We can do the same, and we should.

Big customers should feel empowered to tell vendors (or standards committees, for that matter), "Nope. That sucks. No money for you, until you fix it." The customer is always right.

This is a good example of holistic thinking applied to Infosec where solving one problem may have cascading effects and make other problems difficult or infeasible to address. The problem is compounded by the lack of interoperability in the security products, standards, and tools which are designed to meet the designer's requirements (vendor/standards body/ et al), and not necessarily the end implementer.

XML Security: Learning from XMPP

Johannes Ernst blogged about using XMPP for various digital identity concerns, such as pub-sub for rss and website changes. There is an additional best practice pattern from the XMPP space that can inform design in SOA and digital identity worlds. Peter Gutmann wrote about why XML Security is Broken and how XMPP uses S/MIME instead of XML Security for end to end signing and encryption Beyond the specific flaws addressed in Peter Gutmann's paper, I think the fundamental question is: how closely coupled should the security mechanisms be to the protocol/language.

STS World

I was not able to attend Digital ID World last month, however in reviewing the presentations, it seems that the show could have also been called STS world. Security Token Services (STS) are one of the most interesting developments in security, since they address one of distributed systems' security biggest issues: interoperability. The STS metasystem approach for exchanging tokens and policies with a composeable set of security tokens and protcols has vast utility both in a SOA/Web Services world, but also beyond. It is nice to see security designed as a service so that it can be used in a number of different contexts. It is even nicer to see products implement this pattern, now just the small bit about ratifying WS-Trust, eh?

Writing Security-focused Use Cases

Use Case modeling is an underappreciated/underutilized art in security architecture. Historically, security is brought in at the 11th hour to bless/deny an app dev project trying to go live. This has created all sorts of knee jerk security and generally results  in as Blaine Burnham said: app developers getting the puppy to run and then we'll shove some crypto in there some place.

Use Cases benefit security in many ways: Use Cases enable an end to end view of the system as opposed to focusing inside of one set of requirements Use Cases illuminate dependencies and relationships at a logical level. Use Cases provide contextual background for the functional requirements so security architects can use this context to build a shared understanding of what access control mechanisms, for example, are deployed and where in the system they are to be deployed. Use Case models depict not just "happy path", but also alternate and exceptional flows. Exception flows describe the state of the system when it has hit exception conditions. Defining what parts of the system fail open or fail closed can be specified here to drive design from the early stages of development in concert with security policy and objectives.

Use Case relationships come in two flavors: includes and extends. Includes relationships alter the flow of the calling Use Case based on its own outcome, so if an Authenticate User or Authorize User Use Case is included the end result, say access denied, would potentially change the flow of the Use Case that called it. In the case of extends, the Use Case outcome does not change the behavior of the related Use Case so a Log Event Use Case may fail due to an error like a full disk, but it may be desirable for the base Use Case to continue anyhow.

Use Cases provide a more precise and contextually aware format for security to proactively participate in the software development lifecycle from the early stages. Developing Use Cases does not require coding experience, so security personnel that do not have a deep software development background can master Use Case modeling and add value (and security) to the code that is being built. All of this works to get security out of knee jerk mode and towards specifying what countermeasures are built early on in the process.

Software Security Label Strawman

NIST has iterated the idea of a Software Security Facts label, similar to the type we see in food labeling. I first saw an example of this in Jeff Williams' presentation at OWASP Europe. NIST is soliciting feedback to further develop the concept.

Lego Computers

Software architects frequently refer to component and related designs as Lego-like building blocks, however the world of case mods has flipped the script.