Wednesday Apr 25, 2007

SLOTD: A Personal View On Web2.0 Security (video)

A bit of an experiment for you today - Last night I fired up iMovie and talked into my webcam about Web2.0 and the future challenges of security, and edited the results into a short video. The results are included below, and more context - including links to the referred-to paper from 1997 - is available in the original blog posting.

<script type="text/javascript" src=""> </script> <script type="text/javascript" src=""> </script>

I hope to do one of these videos - filming colleagues, asking questions - about every other week, and perhaps weekly once we get some experience.

- alec

ps: when we were setting up the security community blog, I made a point of saying that it "shouldn't and won't be filled with pictures of cats - the postings will stay on topic"; please note that the cat in the video therefore is an incidental cat, rather than the focus of the commentary. :-)

Tuesday Apr 10, 2007

2007-04-11 Security Post Of The Day

Something a little different for today; my boss wrote to me regards some slideware:

Alec, I'd like to identify some aspects to trends in Security. Have you observed particular security trends for web computing?

...and this is my response. I'll be mailing him the URL. You get to see it first. :-)

So, have I observed particular security trends in Web Computing?

Not really, for reasons which I partially explain in a recent posting on my home blog - the short version being that I believe there are no new security bugs, ever, and from this it's a pretty easy step to declaring security to be a "solved problem", although that carries the proviso: "if and only if you bother to hire people who understand security".

So if we want to write about the state of the art of "security and web computing" then I feel we should do it in terms of the "maturation" of Web Computing technologies.

Twenty years of geekery has taught me all technologies go though a wild-and-insecure phase until the implementational goofs instilled by the visionaries get hammered out by the embarrassment of exploits, and the needs of business. How often do you see websites which still use plaintext password cookies in anger? Yes, some people still goof in implementation, but at least a large body of people now recognise that such design and implementation artifacts are goofs.

For the people who don't know this, there are always consultants who can help. :-)

So my thesis would be: people are getting used to the idea that perhaps mashups need a little more thought than "we'll just glue it together and it will work OK"; also people are finally getting to understand that the concept of "security" is bogus, being as it is actually an umbrella term for a bunch of qualities, including but not restricted to:

  • integrity
  • availability
  • privacy and secrecy
  • trustworthiness
  • privilege separation and enforcement, leveraging all of
    • authentication,
    • authorization and
    • identity
    • and all of the other stuff above, plus finally and most important of all...
  • wisdom regarding the creation of security policy, and consequent design and implementation

So as we move into an age of maturation of web technologies, attitudes and received wisdom are starting to shift; people are now less scared of letting just anyone write all over their website so long as you know who it is that is doing it, and people are beginning to realise that by replacing barriers-to-creation with knowledge-of-authorship (ie: identity, authentication, authorization) - plus the additional ability to 'roll back' so you can circumvent the expected but surviable inevitable vandalism - people realise you can now invite the world to create content with you.

Sufficient technologies to solve all extant security problems now exist - modulo the chest-beating efforts of vendors to pitch new solutions to problems which they hope people will encounter - but from my perspective it's the shift in peoples' attitudes to security which is most interesting.

"Forget prior restraint and access control, build trust, identity and integrity instead."

I find that exciting; it's always been possible, but twenty years ago had you stated it was your goal, people would say you were nuts.


This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« July 2016