Marinus van Aswegem has a new blog Telic Thoughts, the first post describes a useful way to think about breaking down risk
How do you find all the holes? Do you know where to look? If the experts who are creating the next generation of crypto routines can't get it right, what hope does your developers have?
Not to mention all the interesting ways your code and applications can be abused in ways you never thought possible.
Throwing technology (Firewalls, SSL, VPN, DLP, Anti Virus, etc) at the software problem isn't going to solve it either. It's an engineering problem, you need to build security in!
No wonder some of the best security guys I know have an engineering background.
I will go one step further, we have two and only two working security mechanisms - a reference monitor and crypto. So while infosec gets wound around the axel obsessing about products and threats, or led around by the nose by analysts, what we really have here is an integration problem - pure and simple. You really have the following choices
What is a "Reference Monitor"?
Posted by: Dave Tauzell | February 27, 2009 at 02:10 PM
http://en.wikipedia.org/wiki/Reference_monitor
Posted by: Gunnar Peterson | February 27, 2009 at 02:13 PM