[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Managing Innovation
>Can we 'do the simplest thing that will possibly work' >and still produce a secure system. Sure; viz Unix. >>Unlike usability, considering *trust* issues as you set out to design >>will usually preclude the simplest thing from being done. > > Ok. Not being a security expert, I can agree with that, but again, > if the code base is secured, then innovation can proceed simply by > using that code base. Don't conflate "no security bugs" with "trust issues." I'm not so sure I agree with Chris. For example, if Windows was designed with multipler users and networking in mind, then from the beginning it would have seen the need to associate some kind of identity and content-integrity with macro packages, etc. Instead, automation and COM (their mechanism for scripting applications together), was built to just blindly believe -- and, more dangerously -- have the clients that were tied to it blindly believe -- what came in. I think it would be much simpler if IE didn't try to guess content-type, but accepted what the MIME headers said, and did sanity-checking against it; that would have knocked many worms/virii right out of the starting gate, and seems simpler. It's when you need/want to retrofit security into a no-security "rich user experience" system that you, your users, and at times the entire Internet, are hosed. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|