Don't Trust and Verify

Bill Gross is the manger of the world's largest bond fund, his quarterly letters contain many insights on the economy as a whole. This one is no exception, and it contains a typically witty yet telling story, about how much people at cocktail parties care about what you are saying as opposed to themselves.

 

During that unbearable minute-and-a-half, however, you’re likely to have covered some of the following topics:

1. Where are you from? (If it’s not a place where I’ve been or have a distant second cousin – don’t care.)

2. How’s the family? (If Johnnie is in advanced placement courses and my kids aren’t – don’t care. Don’t care about your kids’ soccer games either or that upcoming wedding.)

3. Medical problems. (Unless you’re dying from cancer – don’t care. Your artificial hip and kidney stone stories are important only to let me tell you about mine.)

4. How’s work? (Forgot where you work, but it’s a good lead in. Don’t really care though unless you can direct some business my way.)

5. Can you believe Tiger? (Now there’s something I care about, but the wife is only five feet away.)

In his last letter in January, Gross took the UK to task for being among the high risk members of the dubious Debt Ring of Fire club:

the U.K. is a must to avoid. Its Gilts are resting on a bed of nitroglycerine. High debt with the potential to devalue its currency present high risks for bond investors. In addition, its interest rates are already artificially influenced by accounting standards that at one point last year produced long-term real interest rates of 1/2 % and lower.

Like high ranking central bankers everywhere, Bank of England Governor Mervyn King has been reassuring the financial world that their investments in the UK are safe. Gross has an interesting take on this:

Just last week Bank of England Governor Mervyn King said that it would be difficult to cut government spending quickly, but that there needs to be a clear plan for doing so. Not good enough, Mr. King. Don’t care. Show investors the money, not vice-versa. An investor’s motto should be, “Don’t trust any government and verify before you invest.” 

Don't care is a particularly useful precept for security architects to keep in mind. You are assessing a company's product and they have a slide on their security that features a large number of security protocols. Don't care. Need to lift the hood. You are using Chip *and* PIN so your authentication is stronger? Don't care. Let's look at the tokens used for authorization, the authorization, audit logging, and so on.

You are sending my Web services requests via XML message data to my service's application methods and you are using SSL to secure the channel, so you think that should suffice for security?   

 

Don't care. Make sure the message has integrity, give me a security token, a way to authenticate the request, authorize and audit it. Why should I trust the data and the method request simply because they were sent over SSL? If someone sent you a message over SSL and told you to jump off a bridge would you do it?

So the mantra isn't "Trust but Verify", its "Don't Trust and Verify." 

Verification along the lines of static analysis, fuzzing, and other means is still required. Verification is done because of complexity and to ensure linkage between design time intent and run time reality. But verification is not an adequate substitute for trust.