Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.

Recent Items
 
Zombie Planet: Spam and Phish Egg Harvesting
 
Lost in Twisty Overlays All the Same: Peer Pressure
 
To Engineer is to Tinker?
 
A Feed Too Far
 
Security is a Programming Problem?
 
Ending the Madness: Deja Triple Vu
 
Your%20Message%20Here
 
Just Ducky, Simply Ducky. And You?
 
All Clear: End of Test #1
 
Why Learn Assembly Language

Archives
2004-06-13
2004-06-20
2004-06-27
2004-08-29
2004-09-05
2004-09-12
2004-09-19
2004-10-10
2004-10-24
2004-11-07
2004-11-28
2004-12-05
2004-12-12
2004-12-26
2005-01-30
2005-02-06
2005-03-06
2005-03-13
2005-03-20
2005-04-03
2005-04-10
2005-04-17
2005-04-24
2005-05-01
2005-05-08
2005-05-15
2005-05-29
2005-06-05
2005-06-12
2005-06-19
2005-06-26
2005-07-10
2005-07-17
2005-07-31
2005-08-28
2005-10-09
2005-10-16
2005-10-23
2005-11-13
2005-11-27
2005-12-04
2005-12-18
2006-01-08
2006-02-05
2006-02-12
2006-02-19
2006-03-05
2006-03-12
2006-03-26
2006-04-23
2006-04-30
2006-07-16
2006-07-30
2006-08-06

Trustworthy Software Security: How Do We Get There From Here?

Here I want to gather some items around processes and architectures by which secure software can be developed and demonstrated.  This is a companion to the preceding piece that was more focused on mitigating attacks and exposing adversaries in the wild.
   I notice that articles captured via their RSS feeds are under-represented in my posted compilations.  I tend to worry first at giving persistent form to clippings that I don't have on my system somewhere.  I will have to look at a way to later connect ones that I have already snagged but not integrated in this way.

Open-Source Safety: Assessing the Many Eyes

ACM News Service: Searching for Substance - The Road to Safe Software.  This blurb emphasizes something that has struck me too.  The open-source development process may be easier to elevate to one that provides safety demonstration than the processes currently used by commercial firms for closed-source wares.  There is a structural difference that may simplify open-source movement to qualification of software quality.

Nigel McFarlane's 2004-09-03 InformIT article begins by addressing how our level of concern about the software we acquire and use has shifted, although the main effect would seem to be paralysis and the lack of opportunity for any serious informed choice.  I like this observation, though it might not land so well with many open-source developers: "Programming is process-oriented, though, and that's where hope lies for better software. Open source software development practices provide that hope."

Nigel's account of the situation with defects and the power of peer reviews is excellent as is his understandable portrayal of the seeds of user apprehension.  In moving to the state-of-affairs with commercial versus some well-known open-source efforts, we also run into issues of perceptions and the disadvantage that commercial offers have in that debate.  Refuge in a cloak of check-off items could lead to distortion of the comparison and disqualification of open-source projects from participation.

I am clinging to the position that demonstrable due diligence can trump check-off items and failure in delivery.  I think open-source can more easily embrace an open body-of-knowledge for demonstration, and it isn't that difficult.  It may not be so much whether nightly builds are done as long as there's more clarity on what is built and how it is established to follow a sustainable process toward demonstrable excellence.

In that regard, the argument for preservation of peer processes and the visibility in which indicators are developed, applied, and contrasted strikes me as both healthy and viable.  And I think the open-source advantage awaits:

"Such quality indicators are all rather awkward if you're a vendor that doesn't want to show anyone your source code, littered as it may be with the defects of intent that you put into it on purpose. They are a must for consumers, though. Alas, we know more about the contents of a jam jar than we do about the software we use."

How Do We Rescue the Technical from the Adversarial?

David Wheeler: Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!.  Nigel uses this article as the kind of open application of technical metrics that are an example of what's possible in an open, peer-review setting.  Well, maybe.  The first problem is to remove the advocacy from it and deal with the metrics.  There is a lot of material here that can be adapted to some kind of neutral appraisal mechanism, but the goal of this work doesn't meet my requirement for an accountability process.  The trick is to remove the belligerently-partisan position that goes beyond

"This goal of this paper is to show that you should consider using OSS/FS when you’re looking for software, based on quantitative measures."

Maybe a quality demonstration can be pulled out of the elements employed in here, but I would not want to tie that into competitive evaluations at all.  It taints the process, no matter how reasonable we find the arguments.

Having said that, I must also acknowledge that David A. Wheeler has some analytic tools and other experiences that will be valuable instruments in creating an accountable community.

Roadmap to Better Code

I mention this article here because an accountability process that works for open-source software engineering has to travel light, work in a fluid community, and attend to basics.  Here's a great place to calibrate for that.

Joel on Software - The Joel Test: 12 Steps to Better Code.  Dana Epp just reviewed Joel's published compendium and points out this gem.  Anderbill ordered the print collection as soon as it was available.  I sat on the fence until now.  There's no question that I need to enact this list and I need to enact the scripting that has it work.  I don't multi-process anywhere as well as I once thought I did, and having by-the-numbers-dead-simple scripts to provide reliable routine processes is more important than I am willing to admit.  I sent off my order before I could lapse once more.

The great thing about Spolsky's approach is that it is clear why I would adopt one practice or another and everything is geared to simplicity in concept and in execution.

---

I gave up and asked Joel where this great photo of the Seattle sky-line was taken from.  I was way off in my guess and I had to struggle with my Thomas Guide to see how that angle of view could be accomplished.  I see I will have to go there myself and see how it was done.  Since I have been blogging about Seattle funkiness, I will snap the Fremont Troll at the same time, perhaps.

Dependable Security of Fallible Systems

ACM News Service: In Computers We Will Trust, Even Fallible Ones.  Here's a follow-up on MAFTIA, the IST Project that is gathering together elements needed to accomplish intrusion-tolerant networked systems.  MAFTIA research results are being applied in a number of projects around the world.  Industry partnerships are also underway for moving research prototypes into product developments.

The 2004-09-09 IST Results feature links to the Malicious- and Accidental-Fault Tolerance for Internet Applications (MAFTIA) site and the final materials of the now-completed project, with final workshop held in February, 2003.  There is a substantial body of deliverables, mostly in the form of documents, but that does include APIs and protocols for the MAFTIA Middleware.

In Federated Identity We Trust

ACM News Service: Toward a Federated Future.  Peer-to-Peer technology raises, in its way, the kind of identity concerns that are also leading to expansion of federated network models in commerce with single sign-on models, including Microsoft Passport, the Liberty Alliance effort, and the convergence on compatibility arrangements through OASIS.  The notion of dynamic federation by which party A trusts party C based on party B's assertion engages all of the proxy concerns that we have in dynamic distribution of computer services.

The 2004-09-03 Neil McAllister InfoWorld analysis uses your experience at a remote ATM as an example of federated behavior.  I can attest to the seamlessness.  It is my routine way of transferring cash from my bank account to Euro in my hand while traveling in Italy.  This is a specialized case, and the speciality of it may be a large part of its success.  Seeing how the technique extends into dynamic arrangements among enterprises, within enterprises, and between individuals via their agents will be educational at least.  The article identifies the fundamental "questions as to where user identity should actually reside, the role of technology versus the role of trust, and how open standards can ever hope to rationalize the matrix of permissions required to share user information across an endless diversity of systems and organizations." The personal case arises in the participation of individuals as consumers.

The full article delves into specific standards, provides a variety of related links, characterizing the WS-stack and SAML work at OASIS.  There are a number of commercial, private solutions for federated identity that provide early support for the hoped-to-be-emerging standards.

Getting the (Software) Story Straight

ACM News Service: Don't Just Break Software, Make Software.  This blurb points to some features of StoryTest-Driven Development (STDD) that seem to keep attention on the problem space and achieve early confirmation of requirements understanding.  It looks good, now to find the original source.

Cybersecurity roundtable: Schmidt, McLure, and Moshir

ACM News Service: Talking Computer Security.  This blurb is on an useful roundtable on securing cyberspace.

The July 2004 issue of CyberDefense Magazine cover article provides valuable profiles of the participants and roundtable responses to a rich set of questions.  There was considerable harmony around designing for security first, and the three claimed to see progress in software and, most of all, education about security.

Don't Hack My Session

MSDN Security Development Center: Foiling Session Hijacking Attempts.  This is an update of a Jeff Prosise Wicked Code column that provides a nice overview about session cookies and then making it difficult to spoof a session cookie for hijacking a session.  This is an important aspect of security design for a web site that involves any access privileges for trust levels better than "untrusted."

This is an useful reminder of the ways that interactive web applications are exposed as well as what it takes to establish that there are adequate defenses against adversarial attacks.

Security Related Lifecycle Design

ACM News Service: Hack This.  This blurb is about approaches from the National Institute of Standards and Technology (NIST) for creating embedded systems that continue operation in the face of security threats.

Warren Webb's 2004-07-22 EDN.com article has more detail and a daunting lead: "As hackers move down the food chain from desktops to embedded systems, hardware-and software-security decisions dominate the design process."  The NIST report is document 800-27, Engineering Principles for Information Technology Security (pdf file).

MAFTIA means Family?

ACM News Service: UK Researchers Shortlisted for €1m Award.  The small m means it is in euro, in case you can't see the currency symbol itself.  The work that may be honored is about constructing networks that close the gap between dependability and security, without single points of trust and single points of failure.  There is allusion to rigorous work in cryptographic systems and having a standard cryptographic semantics, so this is something to find out about, including the IBM replicated certification authority.

The 2004-07-26 Michael Parsons article in ZDNet UK provides more, along with a link to the MAFTIA project. The EU Descartes prize award won't be announced until December 2, 2004.  I trust that the ESPRIT server-selector isn't build on this technology.  By the way, it appears that the MAFTIA project ended over one year ago.

Twiddling Away at the Train Wreck

ACM News Service: While Rome Burns?.  This blurb caught my eye because of the juxtaposition of Steve McConnell's appeal for personal discipline in contrast with Grady Booch's challenge to keep innovating.  And, I want very much to see how JXTA does its job around self-discovery and authentication.

The Software Development Online article from SDWest 2004 by Rick Wayne is too hard to register for.  These systems are brutal and don't work with my password safe.  And I found the report on Steve McConnell's address to be worth it.  This is not a recent conference, but one to give pause.  According to McConnell, the code-and-fix mindset has reigned without interruption as Champion Worst Practice since the 1993 edition of Code Complete.

Open Source Security: Trustworthy Enough?

ACM News Service: An Eye Opener on Open Source Internet Security.  The SECRETS project evaluated open-source software for internet security and concluded that there is a dearth of standardization and there are interoperability problems.  OpenSSL is considered a reasonable choice because it boasts sufficient documentation.  I have been noticing how inadequate the documentation on OpenPGP and GnuPG are, and how much is left to craft and community knowledge, so I can sympathize.  Since OpenSSL is based on PKI, this seems like a promising place to start investigating how Open-Source mastery of PKI can work in terms of open usage and new trust models.

The IST Results page describing the project provides more links and extended detail.  The SECRETS site is not so forthcoming, although there is a final report available as the only public deliverable.

Pushing Security Best Practices

ACM Technews: Corporate Governance Task Force Pushes Security Best Practices.  This is an interesting call to action, embodied in a new task-force report.  While funding for software tools that root out defects is suggested, there is also a strong concern for a management framework and involvement at the executive and boardroom levels. "Security is more about risk management; security assessment should involve the needs of the business overall," says John Summers, Unisys managed security services global director.

The 2004-07-07 Mathew Schwartz Enterprise Systems Journal article provides more details and some interesting links.

More Insecure Future

ACM News Service: An Insecure Future.  The provocative aspect of this blurb is that embedded system designers feel unable to rely on third-party security products or the underlying operating system.  The blurb still seems confused to me, in that it appears focused on ways to avoid reverse-engineering of embedded systems to discourage discovery of security vulnerabilities.  That sounds off.

The link to Niall Murphy's 2004-06 Embedded Systems Programming article isn't working for now.  Check later.

Another Accountability Tool?

ACM News Service: OASIS Passes Flaw-Reporting Standard.  This blurb heralds the approval of Application Vulnerability Description Language (AVDL) version 1.0.  Although the vulnerabilities are with respect to security and network exploits, this specification supposes the existence of AVDL-enabled application scanners that can generate flaw-assessment data used in firewall rule configuration, for example. 

I find that rather mysterious, but the general idea of being able to scan for (maybe syndicate) flaw assessments of many kinds sounds interesting, and I wonder if AVDL can be applied to that.

Clint Boulton's 2004-06-23 Internetnews.com security article provides links and mentions how AVDL is complementary to the Web Applications Security specification already released.

---

update 2004-09-15T14:48Z OK, the down side of long aggregated posts is that I forget to run the spell checker and I wouldn't notice I'd misspelled "Spolsky" anyhow, if I was already remembering it wrong.  And people's names are kinda sacred and then what about all the other names I didn't double-check.  Is that why journalists get the big bucks, they have this memory for names?  Whimper.  Thanks, anderbill.  PPS: I don't know how Blogger loses the Euro symbol that I carefully found and that I can't find again.  It turns out that character entity € works just dandy.  Sob.

posted by orcmid at 9/15/2004 01:12:47 AM, rating data by NewsGator Online

 
Comments:

 
I have followed-up with another chunk around the situation with security and dependability of open-source software.  More is accumulating also.  This seems to be a widening conversation.

[I am using the comment mechanism to confirm a template change on this blog.  Why not!]

# posted by orcmid: 10/04/2004 10:54 AM

 

Post a Comment