Updated: 2.9.2002; 22:17:43 GMT

Security Weblog



daily link  Wednesday, August 21, 2002

Bootstrapping security

Mark is contemplaiting mobile Internet and draws some conclusions about security and general usefulness of technology. Appying those two to web services, he says:

"The lessons here for Web Services are: (1) Security shouldn't be an afterthought.(2) Equally, don't hype a technology based on the technology alone"

Let's spare some thoughts on the first one. From what I see around I would say that, there's a clash between the requirement of making security an integral part of the technology and commercial pressures. High-tech market functioning so far has been that whoever comes first with a new product, locks-in the customers and grabs the biggest market share. Therefore short time-to-market is the best friend of technology businessperson. Doing security properly requires extra time and money that don't translate into anything visible to the user and so for apparent reasons, the same time-to-market is the enemy of security engineer.

Of course, that's a short term perspective. To describe long-term cycle of build-up and adoption of technology, Dave Winer uses metahphor of bootstrapping or layered adoption of technology components. To start with bootstrapping, you need something functioning, not necessarily something secure. I'm sorry, bootstrapping is also not a friend of security engineer.

Everybody probably heard more than enough about outputs of time-market pressures for major products and difficulty of making new versions to be backward compatible and secure at the same time. On the other hand, it is not hard to come up with examples of projects that failed because of overengineered security. And some of these failures must have been quite spectacular.

What will the future hold? I think that the business side needs to find out viable approach, that would think the security through from the beginning, but would deploy it as the technology gets bootstrapped. I am painfully aware that this idea probably has many catches. Still many questions remain. Is this possible? Does the current wave of open standards means that the nature of high-tech markets has changed? Or is everything just another play of clever business strategy, marketing and PR? Not simple answers, I'm afraid.

  11:14:20 PM  permalink  

  
August 2002
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Jul   Sep
General

About
Reading list
Resources
Contact me

News

SANS NewsBites
Crypto-gram
UKCrypto
Information Security
all.net
Objectwatch
CBDi Forum

Channels

RSS Better Living Through Software
RSS Brent Sleeper: Web Services
RSS David Fletcher's Government and Technology Weblog
RSS DeveloperWorks.com - Security Articles
RSS Dictionary.com Word of the Day
RSS Digital Identity
RSS Digital Identity World
RSS Eric J. Norlin's Blog
RSS IBM Developer Works - Web Architecture Articles
RSS Joel on Software
RSS Jon's Radio
RSS KableNET
RSS Loosely Coupled weblog
RSS Mark O'Neill's Radio Weblog
RSS O'Reilly Network Articles
RSS onlineblog.com
RSS Scott Loftesness: Digital Identity
RSS Scott Loftesness: Trusted Computing
RSS Scripting News
RSS Security Blog
RSS SecurityFocus
RSS Web Services Architect
RSS Web Services Articles from The Stencil Group
RSS WebServices.Org
RSS Windley's Enterprise Computing Weblog


Click to see the XML version of this web page.

jenett.radio.simplicity.1.3R
Radio Userland


Copyright 2002 © Jiri Ludvik.
Last update: 2.9.2002; 22:17:43.