DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Page 1 of 2 12 LastLast
Results 1 to 15 of 17

Thread: What make's security hard?

  1. #1
    Michael Howard Guest

    What make's security hard?


    I'd like to understand what makes security hard. Is it gluing security islands
    together? is more knowledge required? Is it time constraints?

    what?

    lemme know!

    Cheers, MH

  2. #2
    Eli Allen Guest

    Re: What make's security hard?

    When implementing security well requires time that other think is useless
    because their less secure idea is easier to implement.
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:39cba91a$1@news.devx.com...
    >
    > I'd like to understand what makes security hard. Is it gluing security

    islands
    > together? is more knowledge required? Is it time constraints?
    >
    > what?
    >
    > lemme know!
    >
    > Cheers, MH




  3. #3
    Eli Allen Guest

    Re: What make's security hard?

    Personal firewall. People seem to over react to any random packet.
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:39cba91a$1@news.devx.com...
    >
    > I'd like to understand what makes security hard. Is it gluing security

    islands
    > together? is more knowledge required? Is it time constraints?
    >
    > what?
    >
    > lemme know!
    >
    > Cheers, MH




  4. #4
    Paul McKitrick Guest

    Re: What make's security hard?


    Hi all,

    I am completing an Information science degree, focused more
    towards business and clients, our University also offers a
    Computer Science degree which is focused towards programming.
    Throughout this last year I have been getting into security as I
    finish my Uni degree, this is now my main interest and focus and
    is the career path I want to follow. One problem is that there
    is only 1 security course in my degree which is an optional
    postgraduate course and one optional networking course at the
    final year of the undergrad degree.

    This is one of the first issues that makes security hard, as it
    is not being taught enough, it should be a part of an undergrad
    degree from an earlier stage.

    Secondly, to learn I do a lot of research on the net about
    security, however I keep running into things that are
    programming related (like overloading or overstacking memory??)
    that I do not have a clue about,due to lack of knowledge of
    programming and various languages.

    What I have found to be the hardset aspect of security overall is the
    there is just so much to learn. Even though the avenues of
    attack are limited there are so many posible threats and types
    of threats to discover and know about.
    The content itself is not hard it is just the volume of content
    to keep up with.

    Hope this give you an insight to what is going on inside a
    newbies head.

    Ciao,
    P.


  5. #5
    Michael Howard Guest

    Re: What make's security hard?


    your first point, lack of education is a valid one. i remember speaking to
    an 'esteemed' professor some years back, he mentioned that the industry needs
    to do more to beef up security. i agreed. but i also pointed out that we
    need to teach this stuff too!!

    cheers, mh

    "Paul McKitrick" <paul.mckitrick@stonebow.otago.ac.nz> wrote:
    >
    >Hi all,
    >
    >I am completing an Information science degree, focused more
    >towards business and clients, our University also offers a
    >Computer Science degree which is focused towards programming.
    >Throughout this last year I have been getting into security as I
    >finish my Uni degree, this is now my main interest and focus and
    >is the career path I want to follow. One problem is that there
    >is only 1 security course in my degree which is an optional
    >postgraduate course and one optional networking course at the
    >final year of the undergrad degree.
    >
    >This is one of the first issues that makes security hard, as it
    >is not being taught enough, it should be a part of an undergrad
    >degree from an earlier stage.
    >
    >Secondly, to learn I do a lot of research on the net about
    >security, however I keep running into things that are
    >programming related (like overloading or overstacking memory??)
    >that I do not have a clue about,due to lack of knowledge of
    >programming and various languages.
    >
    >What I have found to be the hardset aspect of security overall is the
    >there is just so much to learn. Even though the avenues of
    >attack are limited there are so many posible threats and types
    >of threats to discover and know about.
    >The content itself is not hard it is just the volume of content
    >to keep up with.
    >
    >Hope this give you an insight to what is going on inside a
    >newbies head.
    >
    >Ciao,
    >P.
    >



  6. #6
    Eli Allen Guest

    Re: What make's security hard?

    The universities are too worried about theory to do much with security
    besides doing the crypto algorithms. Or at least thats what I've seen so
    far at Maryland.
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:39f74d0d$1@news.devx.com...
    >
    > your first point, lack of education is a valid one. i remember speaking to
    > an 'esteemed' professor some years back, he mentioned that the industry

    needs
    > to do more to beef up security. i agreed. but i also pointed out that we
    > need to teach this stuff too!!
    >
    > cheers, mh





  7. #7
    Michael Howard Guest

    Re: What make's security hard?


    >>doing the crypto algorithms


    that's funny! crypto is no panacea - in fact the best crypto is lousy if
    you don't store the keys well!

    "Eli Allen" <eallen@bcpl.net> wrote:
    >The universities are too worried about theory to do much with security
    >besides doing the crypto algorithms. Or at least thats what I've seen so
    >far at Maryland.
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >"Michael Howard" <mikehow@microsoft.com> wrote in message
    >news:39f74d0d$1@news.devx.com...
    >>
    >> your first point, lack of education is a valid one. i remember speaking

    to
    >> an 'esteemed' professor some years back, he mentioned that the industry

    >needs
    >> to do more to beef up security. i agreed. but i also pointed out that

    we
    >> need to teach this stuff too!!
    >>
    >> cheers, mh

    >
    >
    >



  8. #8
    Eli Allen Guest

    Re: What make's security hard?

    Thats protocol. Thats why I said I'm annoyed with the way its taught. You
    can know the algorithms well but if the rest isn't implemented right its
    still insecure. Plus screwing up the algorithm itself is kind of hard not
    to mention the math behind it doesn't help with using it.
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:3a06f0c0$1@news.devx.com...
    >
    > >>doing the crypto algorithms

    >
    > that's funny! crypto is no panacea - in fact the best crypto is lousy if
    > you don't store the keys well!
    >




  9. #9
    Brad Good Guest

    Re: What make's security hard?


    So, if security is such a big subject, then where do you start? What should
    the normal small company that has web sites do for security?

  10. #10
    paul noeldner Guest

    Re: What make's security hard?


    I think it's the tendancy of people to gloss over details when they sell things,
    and then have to deal with the real world complexity when they implement
    them. For example, lots of people think 'ldap' somehow solves security and
    functionality problems for web apps. It does neither, it's just data. The
    biggest challenge is integrating the security models of these islands: ldap,
    operating system, and services eg email or personalization. The only integrated
    solutions today are proprietary, eg Microsoft Site Server ldap + NT (or 2000)
    system security plus Site Server personalization. These all enforce the
    same security no matter what the access mode. The funny thing about alternatives
    using 'open' soltuions today, is that they are also all independently proprietary
    because each carries it's own security model island. Solutions? I'm looking
    to XML security (whatever evolves) to provide standard interfaces for both
    the security model and the security context - across languages, platforms,
    and services....

    "Eli Allen" <eallen@bcpl.net> wrote:
    >Personal firewall. People seem to over react to any random packet.
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >"Michael Howard" <mikehow@microsoft.com> wrote in message
    >news:39cba91a$1@news.devx.com...
    >>
    >> I'd like to understand what makes security hard. Is it gluing security

    >islands
    >> together? is more knowledge required? Is it time constraints?
    >>
    >> what?
    >>
    >> lemme know!
    >>
    >> Cheers, MH

    >
    >



  11. #11
    paul noeldner Guest

    Re: What make's security hard?


    Yup. Examples include the stupidity of not enforcing SSL in FTP logons, not
    enforcing SSL in web logons, and the assumption that web servers are by default
    not secure (why shouldn't they be?) so any trivial thin layer of security
    like role based URL access is seen as better than nothing....

    "Eli Allen" <eallen@bcpl.net> wrote:
    >When implementing security well requires time that other think is useless
    >because their less secure idea is easier to implement.
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >"Michael Howard" <mikehow@microsoft.com> wrote in message
    >news:39cba91a$1@news.devx.com...
    >>
    >> I'd like to understand what makes security hard. Is it gluing security

    >islands
    >> together? is more knowledge required? Is it time constraints?
    >>
    >> what?
    >>
    >> lemme know!
    >>
    >> Cheers, MH

    >
    >



  12. #12
    Michael Howard Guest

    Re: What make's security hard?


    rule #1 - Analyze your threats. There's an two-part article at security.devx.com
    to get you started.

    rule #2 - Defense in Depth. Assume everything in front of you has been destroyed
    and you have to protect yourself.

    rule #3 - don't be afraid to ask for advice!

    "Brad Good" <good@penn-america.com> wrote:
    >
    >So, if security is such a big subject, then where do you start? What should
    >the normal small company that has web sites do for security?



  13. #13
    Michael Howard Guest

    Re: What make's security hard?


    >>not enforcing SSL in FTP logons


    There is no server/client combo that I know of that supports FTP over SSL.


    <snip>

  14. #14
    Eli Allen Guest

    Re: What make's security hard?

    There are ways of getting ftp to go over ssh though
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:3a22ff5d$1@news.devx.com...
    >
    > >>not enforcing SSL in FTP logons

    >
    > There is no server/client combo that I know of that supports FTP over SSL.
    >
    >
    > <snip>




  15. #15
    Michael Howard Guest

    Re: What make's security hard?


    and IPSec :-) the good news about IPSec is ALL apps access remote servers
    securely and transparently.

    "Eli Allen" <eallen@bcpl.net> wrote:
    >There are ways of getting ftp to go over ssh though
    >--

    <snip>


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center