Andy Steingruebl and I have a paper in the latest IEEE Security & Privacy Journal "Software Assumptions Lead to Preventable Errors". There is a SEI paper by Grace Lewis et al from 2004 that looked at the issues of undocumented assumptions and we wanted to extend that to look at the security-specific factors and how they play out at design time, deploy time and run time. Your mainframe security model was likely sufficient when it was a standalone system connected to only by terminals in 1987. What happens to the mainframe security model (predicated on isolation) when you connect an ESB and a bunch of Web services and begin publishing that data and functionality across the enterprise and Web?
Comments