lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 Dec 2006 04:15:50 -0800
From: coderman <coderman@...il.com>
To: "Michael Zimmermann" <zim@...aa.de>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: [WEB SECURITY] Re: comparing information
	security to other industries

On 12/27/06, Michael Zimmermann <zim@...aa.de> wrote:
> ...
> I think, one possible way to improve the situation
> is to follow the money to a lesser degree. In our
> own job as well as in our role as a customer.
> Ready for that?

if the answer is going to be YES, then the consumer (you) needs a
simple way to visibly and intuitively compare the relative security
merits of similar integrated systems / domains. [0]

some of the aspects / characteristics of interest may include:
- usability!
- defense in depth to guard against failures of privacy,
authentication, or availability [1]
- accountability and oversight of critical operations / privileges
- transparency to expert review and other methods of assuring
integrity (this is one aspect of security where open source software
may provide stronger reputation)

security has to begin at development and the tools for measuring
security aspects at this level and out into protocols and hardware
platform are few and rarely used.  (look at the MOKB for a recent
reminder...) [2]


0. application and/or operating system security is meaningless by
itself given the way the security flaws of either affect each other
from a user view or effective risk comparison.

1. this is one example where virtualization is a useful way to
constrain the attack surface presented to attackers.  chroot and other
resource access control methods can be viewed as a subset of
virtualization like isolation between security domains useful for
strong defense in depth along with existing best practices for
development and host integrity.

2. "Month of Kernel Bugs"
    http://projects.info-pull.com/mokb/
    [fuzz testing, automated regression and load/stress tests,
defensive coding techniques and other measures that address almost all
of the vulnerabilities on this list should be a standard part of any
software development process associated with components of a secure
computing base under the "methods of assuring integrity" aspect of
improving security (the secure computing base including anything
handling cryptographic keys or privileged operating system
functions).]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists