To return to a long forgotten about thead...

> On Sun, 5 Jun 2005, Darren Reed wrote:
>
> > > Security is about staid and static- that's part of the issue of why it's
> > > difficult to inject it into companies that don't have a real driver for
> > > it.

> >
> > I disagree. Security is about being conservative, which doesn't
> > necessarily imply being static/staid. I think being static/staid can

>
> Oh, but it does- the essence of security is about the tried and true.
> Basic principles haven't changed in thousands of years, even when applied
> to new technologies. Security evolves very slowly, which is why the
> marketing weasels have so much trouble with it.
>
> > lead you down a path that can increase your security risk rather than
> > maintain it. I think being conservative, when it comes to IT, is just
> > plain HARD and this is why companies find it difficult.

>
> Google define: conservative:

...

It might be similar to staid, but it's not the same as static.

> Anything poorly implemented can increase your security risk, however it's
> very rare that disallowing new content is one of them.


I'd contend that when it comes to the web, by default you generally
allow new content, whether you like it or not and may at some time
later decide it is bad.

> > I also think you're wrong about security needing to be a governor,
> > because security types are too conservative and being a governor is
> > to try and manage a situation you have no real control over. THey

>
> You're assuming security people don't have control. This, I think is
> Marcus's main point about giving in too soon. If I have the passwords to
> the firewall, I have control over what traverses it.


I'll argue that you don't have control over what traverses it - in terms
of content. You might control who connects to what.

> > As with the web, so too with any popular technology,
> > if the designers aren't security savvy then we will have problems by
> > design, later. If security misses out at this step then it is very hard
> > to shove it into the box later.

>
> Which is why we prefer to slow them down and make them get it right than
> to react to their dynamic ideas.


I don't think time makes any difference. Things need to be forced
through peer review with security analysis as the primary objective
of evaluation. Put a bunch of Microsoft programmers in a room and
it won't matter if you give them 6 months or 6 years, they'll still
come up with something insecure at the end. The only difference
the time will be the number of useless features.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards