Immunogen and Seattle Genetics are two fascinating biotechs, but they don't make antibodies as such. Instead they link antibodies and deliver them so they can hit their target and make a heat seeking missile targeting cancers and other diseases. What I find fascinating about this is that there are now antibodies that seemed to solve certain diseases but have sat on the shelf for 20-30 years because there was no way to deliver the drug to the right location.
Bilbo Baggins faced a similar problem, slaying the dragon was only one part of the problem. How would he get the gold back to Hobbiton without getting killed or the gold stolen?
Some years ago, Gene Spafford wrote that we know how to build secure systems but that we just are not doing it. I think the answer then and now is that we do not know how to do this until we do it, that is deliver in the field to real users. But the failing in this is not in the security logic, rather its a lack of integration
I imagine the scientist who developed a cancer treatment in say 1992 and the exhiliration at watching it work in isolated tests followed by a deflation when the antibody could not hit its target in a real human body reaction. This begs the question - how do we make Gene Spafford smile?
The answer is that we need better integration of our security primitives. SAML succeeded not because itss primitives were better than cryptosystem that came before but rather because SAML recognized a *gasp* user, browser, session, persistence store and services as first class citizens rather than "implementation details." This kind of integrated thinking is fundamental to a successful deployment.
There's an almost endless set of examples where infosec is not integrated. PCI DSS Section 10 makes a great start in Audit Logging but what enetrprises often deploy is zombieware unintegrated (and expensive) SIEM, Log management integration tools. Audit logging like everything else in infosec isn't about silver bullets you can buy and slam in a server rack. Its about sensors, events, type messages, and reporting.
SAML successfully pushed the crypto down the stack so the developer isn't exposed, but overall access control needs more than just SAML, the attributes and policies need to be wired into the app. Another example of the need for integration is how Android looked at mobile identity as Linux problem not a web problem.
Security should look to integrate first, always consider the endpoints, messages, message exchanges patterns, channels and management. Gary McGraw's work touchpoints for security in the SDLC is another good example of integration at the process level. These are fundamental to realizing the security goals.
In 2006 I spent a year looking to building an integration toolkit for exactly the reason you so clearly spell out. I made a lot of mistakes into trying to start that business but also concluded that at the time (2007) there wasn't a commercial market to make it pay off. Today I think this would this might be one of those stellar open source projects as the motivation of people to contribute to build what I had defined as an "adapter" to get on a security bus ...,
Posted by: Mark curphey | April 29, 2012 at 06:44 PM