[SC-L] Computerworld: Opinion - Making apps secure is hard work

2010-08-12 Thread Kenneth Van Wyk 
I figured this was relevant here, so here's a link to my August column for 
Computerworld.

Excerpt:

'What's that you say? All the app vetting you've been doing to date consists 
only of verifying that the apps play by the rules? That is, that they use only 
published APIs and such? Well, then, you really have your work cut out for you, 
because that's not all that your customers expect.'

To read the complete article see:
http://www.computerworld.com/s/article/9180579/Making_apps_safe_is_hard_work?taxonomyId=17


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Computerworld: Opinion - Making apps secure is hard work

2010-08-12 Thread Gunnar Peterson 
Hi Ken,

You raise some important points. Most infosec is approached as a set of 
controls, but access control only takes you so far in the face of malice.

I like this quote from G.K. Chesterton

The real trouble with this world of ours is not that it is an unreasonable 
world, nor even that it is a reasonable one. The commonest kind of trouble is 
that it is nearly reasonable, but not quite. Life is not an illogicality; yet 
it is a trap for logicians. It looks just a little more mathematical and 
regular than it is; its exactitude is obvious, but its inexactitude is hidden; 
its wildness lies in wait.

Notice the distinction, the first part gets to why access control matters - we 
can use crypto and such to impose our policies on the logic that we know and 
understand, but it does not help us all with inexactitude. There's no margin of 
safety, the control either works or its doesn't.

-gunnar

On Aug 12, 2010, at 7:17 AM, Kenneth Van Wyk wrote:

 I figured this was relevant here, so here's a link to my August column for 
 Computerworld.
 
 Excerpt:
 
 'What's that you say? All the app vetting you've been doing to date consists 
 only of verifying that the apps play by the rules? That is, that they use 
 only published APIs and such? Well, then, you really have your work cut out 
 for you, because that's not all that your customers expect.'
 
 To read the complete article see:
 http://www.computerworld.com/s/article/9180579/Making_apps_safe_is_hard_work?taxonomyId=17
 
 
 Cheers,
 
 Ken
 
 -
 Kenneth R. van Wyk
 KRvW Associates, LLC
 http://www.KRvW.com
 
 Follow us on Twitter at: http://twitter.com/KRvW_Associates
 
 
 
 
 
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___