Recent Posts

Blogroll

Blog powered by TypePad

« Web 2.0 Security - The Beginning of the End or The End of the Beginning | Main | MetriCon 3.0 »

Software and Security Separateness - You're Doing It Wrong

Many years ago, I was a trout bum, and the guy who captured that wonderful experience better than anyone was John Gierach, I was lucky enough to live a few miles up the Frying Pan river from where he stayed when he was fishing up there. In one of his stories he recounted the following

New enthusiastic flyfisherman: "When you get your cast just right, its better than sex!"

Other person: "You are doing one of those things the wrong way."

In the same way that you can get two separate things confused you can also get confused by thinking two things that are joined as being separate - if you think security is one thing and software development is another, you are doing both of them the wrong way. I had a coffee with a marketing person yesterday, he had been to my talk at Secure 360 conference and said he liked it because he could understand it, the others were too technical (a lot of stuff in my talk was fairly technical as well, but I always strive to keep the narrative flow accessible to everyone). He really wanted to understand what I did. After several attempts of my explaining the software security problem, I pointed to one side of the coffee shop and said - the developers sit over there. Hundreds or even thousands of them. The security people sit over there on the opposite side of the coffee shop. They are separate groups, with separate agendas, they rarely collaborate, there is no center. And he got it.

Software development is its own culture discipline - processes, scripts, languages, and so on. Security is its own discipline and culture. As long as these remain separate disciplines, separate cultures, we'll see the same results we have seen so far - namely minimal to no security is software. On a basic level things are not going to improve until the practices, tools, and people are unified.

Pond

This corresponds to Christopher Alexander's fifteenth and most important fundamental property Not-Separateness

Let me summarize in structural terms what this property is all about. It states that any center which has deep life is connected, in feeling, to what surrounds it, and is not cut off, isolated, or separated. In a center which is deeply coherent there is a lack of separation - instead a profound connection - between that center and other centers which surround it, so that the various centers melt into one another and become inseparable. It is that quality which comes about from each center, to the degree it is connected to the whole world.
Now, let's re-examine infosec and software- we have separate groups of people, separate projects, separate agendas. They don't agree on a center. Alexander's Not-Separateness underscores not only why infosec and security has issues creating value together, but also why we need to look at decentralized software security architectures, not centralized or distributed architectures.

More deeply, so much (all?) of infosec is focused on separation and isolation, its this misguided assumption that has led infosec to a sorry record of non-innovation. A failure to realize that its a building problem, a development problem, a integration problems, and a scalability problem with security properties.

The high priests of infosec talk about protocols and access control models, instead what we need are strong centers. Obsessing about isolation mechanisms that don't scale is the wrong way to go, focusing on ways to build and integrate strong centers is. Its not about access control, its about strong subject-object centers.


Decentralized

May 30, 2008 in Security |

Comments

I see very few organizations 'measuring' software quality/robustness in any but the most simplistic way (lines of code - SLOC), even though the Chidamber/Kemmerer Object-Oriented Metrics calculations are available in many of the toolsets now.

Software security metrics could easily be incorporated into a larger effort at increasing the sophistication of software measurement.

Posted by: Chuck | June 07, 2008 at 06:05 PM

From the Art of War:
"If his forces are united, separate them....

We can form a single united body, while the enemy must split up into fractions. Hence there will be a whole pitted against separate parts of a whole, which means that we shall be many to the enemy's few."

Of course just who the enemy is here might be up for debate.

Posted by: Forg Snud | June 25, 2008 at 02:54 PM

The comments to this entry are closed.