Re: Automating secure transactions
From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 02/16/04
- Next message: Robin T Cox: "Re: anti-spamming, anti-spyware"
- Previous message: Ford Prefect: "Re: Need help"
- In reply to: kj: "Re: Automating secure transactions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 16 Feb 2004 03:46:44 GMT
kj <nomail@nospam.com> writes:
> I've read a fair bit about security, mostly in the areas of
> encryption and SSL. I have not been able to find anything
> specifically addressing the problem of securely writing code that
> must (a) run without any human supervision, and (b) must know about
> highly sensitive information.
first thing about writing secure code ... assume not C or any of the
C derivatives ... lots of vulnerability references (including buffer
exploits)
http://www.garlic.com/~lynn/subpubkey.html#fraud
here is recent ref might find interesting: Passwords to guard entry
aren't enough to protect complex data:
http://www.eurekalert.org/pub_releases/2004-02/su-ptg021304.php
run w/o human supervision ... is frequently along the lines of various
kinds of service deliverables ... where as much as possible is
automated ... since people make mistakes ... including but not limited
to security mistakes. I've contended that effort to take a straight
line application and turn it into a service application (human free)
can take ten times the (original) effort and may typically need 4-10
times as much code.
for the most part ... for a security application to understand highly
sensitive information ... the information needs security labels
... and then proscribed rules relating to the various security levles
... so try search engine with things like *security label", "mandatory
access control", "mandatory security policy", etc.
another source is some of NIST documents:
http://csrc.nist.gov/publications/drafts.html
http://csrc.nist.gov/publications/fips/
http://csrc.nist.gov/publications/nistpubs/index.htm
http://csrc.nist.gov/rbac/
minor discussion of security proportional to risk:
http://www.garlic.com/~lynn/2001h.html#61
also of possibly some interest:
http://www.garlic.com/~lynn/2002l.html#42 thirty years later, lessons from the mutlics security evaluation
http://www.garlic.com/~lynn/2002l.html#44 thirty years later, lessons from the mutlics security evaluation
http://www.garlic.com/~lynn/2002l.html#45 thirty years later, lessons from the mutlics security evaluation
misc. refs to predominate use of SSL in the world today:
http://www.garlic.com/~lynn/subpubkey.html#sslcert
security also mean things like availability in addition to
confidentiality ... as well as assurance; misc. random postings on
assurance
http://www.garlic.com/~lynn/subpubkey.html#assurance
highly dependable computing ... security, assurance, integrity, etc
taken as a whole, not just intrusions or leakage of confidential
information:
http://www.hdcc.cs.cmu.edu/index.html
http://www.hdcc.cs.cmu.edu/may01/index.html
a couple notes specifically with respect to the original internet
payment gateway:
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3
random refs to service operation 4-10 times code, automated operator,
service operations, etc:
http://www.garlic.com/~lynn/98.html#35a Drive letters
http://www.garlic.com/~lynn/98.html#37 What is MVS/ESA?
http://www.garlic.com/~lynn/98.html#40 Comparison Cluster vs SMP?
http://www.garlic.com/~lynn/99.html#71 High Availabilty on S/390
http://www.garlic.com/~lynn/99.html#77 Are mainframes relevant ??
http://www.garlic.com/~lynn/99.html#92 MVS vs HASP vs JES (was 2821)
http://www.garlic.com/~lynn/99.html#107 Computer History
http://www.garlic.com/~lynn/99.html#128 Examples of non-relational databases
http://www.garlic.com/~lynn/99.html#136a checks (was S/390 on PowerPC?)http://www.garlic.com/~lynn/2000.html#13 Computer of the century
http://www.garlic.com/~lynn/2000.html#22 Computer of the century
http://www.garlic.com/~lynn/2000c.html#45 Does the word "mainframe" still have a meaning?
http://www.garlic.com/~lynn/2000c.html#47 Does the word "mainframe" still have a meaning?
http://www.garlic.com/~lynn/2000f.html#12 Amdahl Exits Mainframe Market
http://www.garlic.com/~lynn/2000f.html#30 OT?
http://www.garlic.com/~lynn/2000f.html#54 360 Architecture, Multics, ... was (Re: X86 ultimate CISC? No.)
http://www.garlic.com/~lynn/2001.html#43 Life as a programmer--1960, 1965?
http://www.garlic.com/~lynn/2001c.html#13 LINUS for S/390
http://www.garlic.com/~lynn/2001c.html#69 Wheeler and Wheeler
http://www.garlic.com/~lynn/2001d.html#70 Pentium 4 Prefetch engine?
http://www.garlic.com/~lynn/2001d.html#71 Pentium 4 Prefetch engine?
http://www.garlic.com/~lynn/2001e.html#44 Where are IBM z390 SPECint2000 results?
http://www.garlic.com/~lynn/2001e.html#47 Where are IBM z390 SPECint2000 results?
http://www.garlic.com/~lynn/2001f.html#75 Test and Set (TS) vs Compare and Swap (CS)
http://www.garlic.com/~lynn/2001g.html#44 The Alpha/IA64 Hybrid
http://www.garlic.com/~lynn/2001h.html#8 VM: checking some myths.
http://www.garlic.com/~lynn/2001j.html#23 OT - Internet Explorer V6.0
http://www.garlic.com/~lynn/2001k.html#13 HP-UX will not be ported to Alpha (no surprise)exit
http://www.garlic.com/~lynn/2001k.html#14 HP-UX will not be ported to Alpha (no surprise)exit
http://www.garlic.com/~lynn/2001k.html#18 HP-UX will not be ported to Alpha (no surprise)exit
http://www.garlic.com/~lynn/2001l.html#47 five-nines
http://www.garlic.com/~lynn/2001n.html#3 News IBM loses supercomputer crown
http://www.garlic.com/~lynn/2001n.html#47 Sysplex Info
http://www.garlic.com/~lynn/2001n.html#85 The demise of compaq
http://www.garlic.com/~lynn/2001n.html#91 Buffer overflow
http://www.garlic.com/~lynn/2001n.html#93 Buffer overflow
http://www.garlic.com/~lynn/2002.html#24 Buffer overflow
http://www.garlic.com/~lynn/2002e.html#68 Blade architectures
http://www.garlic.com/~lynn/2002h.html#73 Where did text file line ending characters begin?
http://www.garlic.com/~lynn/2002j.html#45 M$ SMP and old time IBM's LCMP
http://www.garlic.com/~lynn/2002l.html#62 Itanium2 performance data from SGI
http://www.garlic.com/~lynn/2002n.html#11 Wanted: the SOUNDS of classic computing
http://www.garlic.com/~lynn/2002n.html#27 why does wait state exist?
http://www.garlic.com/~lynn/2002o.html#14 Home mainframes
http://www.garlic.com/~lynn/2002o.html#68 META: Newsgroup cliques?
http://www.garlic.com/~lynn/2002p.html#54 Newbie: Two quesions about mainframes
http://www.garlic.com/~lynn/2003.html#37 Calculating expected reliability for designed system
http://www.garlic.com/~lynn/2003g.html#3 Disk capacity and backup solutions
http://www.garlic.com/~lynn/2003g.html#62 IBM says AMD dead in 5yrs ... -- Microsoft Monopoly vs. IBM
http://www.garlic.com/~lynn/2003h.html#56 The figures of merit that make mainframes worth the price
http://www.garlic.com/~lynn/2003h.html#60 The figures of merit that make mainframes worth the price
http://www.garlic.com/~lynn/2003i.html#27 instant messaging
http://www.garlic.com/~lynn/2003j.html#15 A Dark Day
http://www.garlic.com/~lynn/2003l.html#11 how long does (or did) it take to boot a timesharing system?
http://www.garlic.com/~lynn/2003n.html#22 foundations of relational theory? - some references for the
http://www.garlic.com/~lynn/2003n.html#29 Architect Mainframe system - books/guidenance
http://www.garlic.com/~lynn/2003n.html#45 hung/zombie users ... long boring, wandering story
http://www.garlic.com/~lynn/2003p.html#37 The BASIC Variations
http://www.garlic.com/~lynn/2004.html#40 AMD/Linux vs Intel/Microsoft
-- Anne & Lynn Wheeler | lynn@garlic.com - http://www.garlic.com/~lynn/ Internet trivia, 20th anniv: http://www.garlic.com/~lynn/rfcietff.htm
- Next message: Robin T Cox: "Re: anti-spamming, anti-spyware"
- Previous message: Ford Prefect: "Re: Need help"
- In reply to: kj: "Re: Automating secure transactions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
