Hi Ken,
You raise some important points. Most infosec is approached as a set of
controls, but access control only takes you so far in the face of malice.
I like this quote from G.K. Chesterton
The real trouble with this world of ours is not that it is an unreasonable
world, nor even that it is a reasonable one. The commonest kind of trouble is
that it is nearly reasonable, but not quite. Life is not an illogicality; yet
it is a trap for logicians. It looks just a little more mathematical and
regular than it is; its exactitude is obvious, but its inexactitude is hidden;
its wildness lies in wait.
Notice the distinction, the first part gets to why access control matters - we
can use crypto and such to impose our policies on the logic that we know and
understand, but it does not help us all with inexactitude. There's no margin of
safety, the control either works or its doesn't.
-gunnar
On Aug 12, 2010, at 7:17 AM, Kenneth Van Wyk wrote:
I figured this was relevant here, so here's a link to my August column for
Computerworld.
Excerpt:
'What's that you say? All the app vetting you've been doing to date consists
only of verifying that the apps play by the rules? That is, that they use
only published APIs and such? Well, then, you really have your work cut out
for you, because that's not all that your customers expect.'
To read the complete article see:
http://www.computerworld.com/s/article/9180579/Making_apps_safe_is_hard_work?taxonomyId=17
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
Follow us on Twitter at: http://twitter.com/KRvW_Associates
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___