Access and Feeds

Security: The Odds are Against Totally Securing Complex Programs

By Dick Weisinger

Security is Hard.  That’s the title of a 2001 paper by Ross Anderson at the University of Cambridge, a paper that looked at the application of security from the perspective of an economist.

Ross concludes that “much has been written on the failure of information security mechanisms to protect end users from privacy violations and fraud. This misses the point. The real driving forces behind security system design usually have nothing to do with such altruistic goals. They are much more likely to be the desire to grab a monopoly, to charge different prices to different users for essentially the same service, and to dump risk. Often this is perfectly rational.”

Ross explains the impossibility of ever being able to secure complex software.  He offers the example of the Windows Operating System.  In 2000, Windows OS had more than 35,000,000 lines of code. Because it was so large and complex, it could well have more than 1,000,000 bugs when released.  The hackers may only need to find and exploit a single bug to compromise the system, whereas the developers that try to fix the bugs may only be able to fix a fraction of the total.  The numbers make it difficult to ever raise a totally secure defense.

In an interview with Search Security, Ross said that “The information security problem is basically a problem of politics and regulation, rather than technology. Even if you were to encrust all of your medical systems with all sorts of fancy firewalls, encryption and goodness knows what, that wouldn’t fix the problem. ”


Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Leave a Reply

Your email address will not be published. Required fields are marked *