mailing list archives
SearchSecurity: 13 Design Principles for 2013
From: Gary McGraw <gem () cigital com>
Date: Thu, 17 Jan 2013 16:36:02 -0500
Merry new year to you all.
About the hardest part of software security is design. Everything about it is hard: secure design, threat modeling,
architectural risk analysis, etc. Even convincing slow pokes that there is a difference between bugs and flaws is hard
(you should see the "reviews" my talk got from the "expert" RSA program committee this year…hah!). For many years I
have struggled with how to teach people ARA and security design. The only technique that really works is
apprenticeship. Short of that, a deep understanding of security design principles can help.
in 1975 Salzer and Schroeder wrote one of the most important papers in computer security. In it, they introduced the
concept of security principles. I riffed on that this month in my SearchSecurity column. Please read it and pass it
on. Give a copy to all of the software architects you know.
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
- SearchSecurity: 13 Design Principles for 2013 Gary McGraw (Jan 17)