Mark O'Neill notes:

What about Web Services security - how close is that to standardization? Well, the work on SAML has been impressively fast and that bodes well for the WS-Security work in OASIS. Support for handshaking and sessions (SSL) is still needed (WS-SecureConversation?). But since much of Web Services security involves linking to existing security infrastructure, using best-practice, it doesn't mean that am entire reinvention of security is needed. And that bodes well for quick standardization.

In fact I wonder what constitute Web Services security. Yesterday it was XML Encryption, XMLDSIG, today it's WS-Security and SAML. Tomorrow we will be served the rest of Microsoft's security roadmap and then perhaps XACML and XrML. Where is the boundary when security will be supposed to be finished?

9:45:32 PM    

Recently, I have come across Peter Guttman's paper on public key cryptography. What appears in the slides several times is that the main reason for failure of public key crypto deployments are financial and social issues. This resonates with my opinion that good security is, in the end, just a matter of money. Let's have a look at some recent news with this perspecyive in mind.

When commenting on recent surge of XML firewall announcements, Phil Wainewright from Looseley Coupled weblog suggests hat perimeter protection is (almost) irrelevant. He suggest that the ideal solution would be "distributing security down to every device, every user, and every service."

However, this approach does not scale up because costs to build and run security in this case grow lineary (maybe even exponentially) with every application and every new device brought into equation.  Security has to be added into each application and each host has to be hardened, patched and audited. What's more, this approach assumes including security as a part of any project from the beginning. Quite a sensible thing, but it requires a cultural change and thus not widespread, I am afraid.

On contrary, firewalls are still for most organisations the ultimate security silver bullet. Buy it (or download it from the sourcefourge), configure and voila, you have security for the whole company for the same price whatever the size of your network is. A service shared by whole infrastructure - security business service bus anybody?

There are other good security pratices that when followed can lead to considerable extra costs. For instance design for failure. Observing this principle religiously often leads to the need for redundancy. This in turn means extra set of equipment, i.e. double cost, which again doesn't go down well with the budget holders.

If I get into position to asses security and give recommendations I will be the first to talk about insufficiency of protection provided by firewall and about the need to consider clustered servers (be it done at operating system or database level ) or load-balancing. Was there, done that. Advise is cheap. On the other hand when you get to be in charge of building systems that should be secure under limited budget I bet you would be thinking twice where and how to spent the money.

I am aware that the authors mentioned above don't offer the picture as black-and-white as I presented here. And my intention is not picking on them. What I want to say though is that in security "all depends". The first lesson I learnt when I started in this business was that to be successful, security must, above all, pragmatic.

8:20:14 PM