On Tue, 25 Aug 2009, Benjamin Tomhave wrote: > We should be seeking to innovate outside the box - change the rules of > the game dramatically - rather than trying to work within the arbitrary > constructs we've placed around ourselves.
Insert obligatory OWASP ESAPI praise here. The Enterprise Security API project is trying to build an API that makes it easier for application developers to fold in security. If you need crypto, use the crypto API. If you need authentication, use the authentication API. I think ESAPI (or similar APIs) have the potential to be game-changers. One primary benefit is that programmers aren't trying to implement security themselves. One potential selling point to developers would be saving time - rather than wasting days/weeks/months implementing your own authentication scheme, use the API. Obviously there are limitations in its applicability, but it seems to be off to a great start. http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API This kind of thing could be extended to non-web applications, or possibly introduced to programmers fairly early in education. Disclaimer: I've participated in the project here and there. Another way to change the game (besides languages) is to define and adopt more secure protocols. Given how slow DNSSEC and IPv6 have been in terms of adoption, and how rapidly AJAX has grown, I'm not too optimistic for success in this area without serious customer demand. Even requiring the use of non-proprietary, well-documented protocols and data formats, with strict conformance by implementations, could go a long way - because then you can develop extensive test suites against these standards and use a whitelist-based approach of refusing anything that does not conform. Unfortunately, I'm not too optimistic in this regard, either. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________