Solving the wrong security problems and avoiding sacred cows


Here is an interesting article by Spaf (Prof. Eugene Spafford) on the state of security research and development today. The argument is that we are spending too much time of building fixes, without addressing the root problems. In this case, the root problems include development techniques and languages, and inadequate operating systems. The analogy to sacred cows is interesting.

Solving some of the Wrong Problems

We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it. Instead of building trustworthy systems (note — I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised.

Leave a new comment (all comments are moderated):

Your email address will not be published. Required fields are marked *

Answer this question to comment * Time limit is exhausted. Please reload CAPTCHA.