Friday, February 1, 2008

Becoming a Security Expert

The current issue of IEEE Security & Privacy features an article titled Becoming a Security Expert.

In it, the authors (Michael Howard, Microsoft) ponders about the question: "How do you try to learn security?"

Before the author starts answering question, he observes:
"At Microsoft, we hire thousands of engineers each year--some straight from school, others from academia, government, and industry--and the percentage of people who understand how to build secure systems is miserably slim."
Next, the lessons learned:
No single "magic tool" will make you secure. The point that Michael makes is that it takes a holistic approach that includes education, secure design, updated development toolsets, good testing techniques, and security responses. Of course, this is used to plug the Microsoft Security Development Lifecycle (MS SDL), but that was to be expected.
Stay ahead of the attackers. Another obvious one, and yet another plug for Microsoft.
It's asymmetric The old adagio: Defenders must defend all points, attackers can choose the weakest one; etc.
The article goes on to cover more (valid) observations, but I do not think it covers its title. It is not a "guide" to becoming a security expert, rather than an overview of good practices and known problems. Yet, when ignoring the Microsoft-bias, it is really not a bad article at all.
In any case, it is good to see (again) that Microsoft is indeed intending to include security aspects in the development life cycle. How well they succeeded is something that we'll see when (if?) Vista spreads more.
Reference: Becoming A Security Expert, Michael Howard. IEEE Security and Privacy, vol 6, number 1 (Jan/Feb 2008) pp 71-73

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.