Dan Pritchett blogged about Architectural Shelf Life - "The duration that a collection of patterns and technology are applicable when starting a new system design." He argues that this changes about every 5 years which is pretty fast when you think about it. Our story on the security is measured in decades not years. Kerberos, certificates, RSA, and other workhorse technologies are relatively unchanged since the 70s and 80s. So we security folk are multiple iterations behind developers.
Out of this comes the need for two things - one we need to innovate at a much higher rate, but equally important, we need better deployment models. The primitives we have that actually work need to be engineered better to form fit to the rapidly changing software side. Its not good enough to say "we have it all figured out", we have to apply the stuff that works to real software architectures. Why is the a dab of firewalls and SSL still our answer after all these years?
Two case studies of where security technologies were adapted to technical realities to provide effective security mechanisms in the real world are SAML, which learned a lot from Kerberos and then applied it to the Web and XML; WS-Trust/STS, which owes a lot to SDSI/SPKI and applied it to Web services/XML plumbing.
Software security is starting to grow as an industry. But a lot of the answers I hear and see in the field are predicated on "we want to reengineer the entire SDLC", etc. sometimes what is really needed is evolution not revolution, and an easy to use adapter that ships in a few weeks...I remember Brian Snow's talk at black hat several years ago when he talked about how the NSA putting certificate checks in all calls to the Solaris kernel. Its not all about new primitives, its also about finding the art of the possible of what we can do with what we already have. Chief among these is adapting to technical realities.
I wrote a piece about the gap between general IT innovation and security innovation a few months ago. Hope you like it:
http://www.securitybalance.com/?p=175
Posted by: Augusto Paes de Barros | September 04, 2008 at 12:20 PM