Security patterns
For several years, people have been talking about security patterns, writing a few of them, and trying to organize larger efforts. One of the things I enjoyed about this PLoP was the discussions about security patterns, because it appears that things are finally taking off.
The OpenGroup has an on-line book of security patterns. Bob Blakley is the one I always talk to about it.
There is a big writing project at SecurityPatterns.org. They have a lot of patterns written, but they need to be polished. They need reviewers, so if you want to be a part of something big, ask to be on their reviewer list. You don't have to be an expert to be a reviewer. Authors need to have some reviewers who are average readers and who can tell the authors when the writing is not clear enough. Experts are also necessary, of course. Experts can say where the authors left things out, but experts tend to skip the examples and so don't notice the little glitches that always occur. Those glitches are most likely to be found by someone who doesn't know the material and is trying hard to learn it by studying every detail.
There is a group at Sun called CoreSecurityPatterns. They have an outline of their patterns but so far haven't published much. I haven't talked to them, but perhaps it would be possible to become a reviewer for them, too.
Although I am not a security expert, I have written my first security paper! "The Security Architecture of qmail" (number 20 on the list of PLoP papers describes qmail in terms of a sequence of patterns. Many of these are not security patterns, but patterns that make up the core of qmail are. The architecture of qmail not only allows it to be much more securie than sendmail, but a lot smaller and even a little faster. Often increasing security makes a system more complex and slower. qmail shows that does not have to happen.
Comments
qmail Interfaces - are they testable interfaces?
[Jonathan Kohl] October 1, 2004 17:12:52.327
I was at the BrightSpot Breakfast with Ralph a couple of months ago, and when you were presenting on qmail Security Patterns, I found myself wondering if the interfaces in qmail are testable or not. If they are it would make a good candidate to study testable interfaces, and drive them with a scripting language like Ruby. I noticed that in the Interfaces section, it reads: "The interfaces to most of the qmail programs are idiosyncratic and do not follow Unix standards.". Does that mean they may not be particularly testable? I think the compartmentalization pattern may have a positive side effect of testability if the interfaces are testable.
I enjoyed the presentation, and this paper looks good as well. Something you said about secure programs being knowable (as in one person like Daniel Bernstein) understands the program, and the design and code are quite simple and clean touched off a thought for me on testability. The corollary was that a program that isn't knowable, simple and clean is very difficult to make secure. The same thing applies to testing I think. I've been chewing on that thought for a few months now.
Jonathan Kohl