This talk by FX is related to today's earlier post, its from 2007, but for security archs its just as relevant today as then. If you think of the attack surface as the set of methods, data, and channels an attacker can use against your system, and then you think of the evolution of software then you can clearly see the way security systems are evolving staying the same in the face of the vulnerabilities.
First thing out to the woodshed, none other than teh fierwall, FX asks
today's firewall is:
a multiprotocol parsing engine
written in C
running in kernel space
allowed full corporate network access
holding cryptographic key material
...and still considered a security device?
Well played, sir. Sounds like a good thing to have on the front lines, no?
So its easy to see that Information Security has incurred 14 years and counting of
design debt, just like the subprime crisis those chickens are going to come home to roost and now its only a matter of whether its a car crash (quick and painful) or a cancer (slow and painful).
FX makes a couple of other critical points
design systems the right way
defense in depth is one of the few hopes
get used to the fact that things break --
...
adding another security feature isn't reducing the complexity at all
The last point should give any security arch pause, security people routinely complain that developers make things too complex to secure (see above chart). I think the reality is closer to that the security teams simply don't move fast enough to address new tools/technologies (again see above chart), but in any case the complexity issue is often raised in self defense of security, but here is the kicker, what's the most complex thing in implementations? Aw shucks its very often the authN code, the crypto code, and so on. Which brings us back to defense in depth.
Side note, one of the main reasons in my focusing so much of my time on security was a talk I saw by FX in Amsterdam in 2001 where he showed exploits on a number of lesser known protocols like LDAP and Cisco management protocols. That talk and follow on conversations with him really stayed with me as a new way to think about software and resiliency in a new way.
A problem we see with defense in depth is that it should start at the core where the crown jewels are, rather than the perimeter, and govern where data is released to. Your comments on reference monitors and integration provide a foundation for this.
Posted by: Rob Lewis | March 24, 2009 at 08:27 AM