Something a little different for today; my boss wrote to me regards some slideware:
Alec, I'd like to identify some aspects to trends in Security.
Have you observed particular security trends for web computing?
...and this is my response. I'll be mailing him the URL. You get to see it first. :-)
So, have I observed particular security trends in Web Computing?
Not really, for reasons which I partially explain in a
recent posting on my home blog
- the short version being that
I believe there are no new security bugs, ever,
and from this it's a pretty easy step to declaring security to be a
"solved problem", although that carries the proviso: "if and only if
you bother to hire people who understand security".
So if we want to write about the state of the art of "security and web
computing" then I feel we should do it in terms of the "maturation" of
Web Computing technologies.
Twenty years of geekery has taught me all technologies go though a
wild-and-insecure phase until the implementational goofs instilled by
the visionaries get hammered out by the embarrassment of exploits, and
the needs of business. How often do you see websites which still use
plaintext password cookies in anger? Yes, some people still goof in
implementation, but at least a large body of people now recognise that
such design and implementation artifacts are goofs.
For the people who don't know this, there are always consultants
who can help. :-)
So my thesis would be: people are getting used to the idea that
perhaps mashups need a little more thought than "we'll just glue it
together and it will work OK"; also people are finally getting to
understand that the concept of "security" is bogus, being as it is
actually an umbrella term for a bunch of qualities, including but not
- privacy and secrecy
- privilege separation and enforcement, leveraging all of
- authorization and
- and all of the other stuff above, plus finally and most important of all...
- wisdom regarding the creation of security policy, and consequent design and implementation
So as we move into an age of maturation of web technologies, attitudes
and received wisdom are starting to shift; people are now less scared
of letting just anyone write all over their website so long as you
know who it is that is doing it, and people are beginning to realise
that by replacing barriers-to-creation with knowledge-of-authorship
(ie: identity, authentication, authorization) - plus the additional
ability to 'roll back' so you can circumvent the
expected but surviable inevitable vandalism
- people realise you can now invite the world to create content with you.
Sufficient technologies to solve all extant security problems now
exist - modulo the chest-beating efforts of vendors to pitch new
solutions to problems which they hope people will encounter - but from
my perspective it's the shift in peoples' attitudes to security which
is most interesting.
"Forget prior restraint and access control, build trust, identity and
I find that exciting; it's always been possible, but twenty years ago
had you stated it was your goal, people would say you were nuts.