Cigital

Silver Bullet Security Podcast

I did a podcast with Gary McGraw which is available here. Gary’s questions were great, I could have written a ten page whitepaper in response to most of them, but tried to sum up my thoughts on “what is security”, and how you might approach security…

Hi Gary,

Two more thoughts to keep in mind, both from David Gelernter
http://www.edge.org/documents/archive/edge70.html

First, in terms of where SOA and Web 2.0 are leading:

“If a million people use a Web site simultaneously, doesn’t that mean that we must have a heavy-duty remote server to keep them all happy? No; we could move the site onto a million desktops and use the internet for coordination. The “site” is like a military unit in the field, the general moving with his troops (or like a hockey team in constant swarming motion). (We used essentially this technique to build the first tuple space implementations. They seemed to depend on a shared server, but the server was an illusion; there was no server, just a swarm of clients.) Could Amazon.com be an itinerant horde instead of a fixed Central Command Post? Yes.”

Next, further amplification of the matrix problem you stated:

“If you have three pet dogs, give them names. If you have 10,000 head of cattle, don’t bother. Nowadays the idea of giving a name to every file on your computer is ridiculous.”

A great catch Gary (fishing pun intended) and Gunnar your blog is in my Top 5 list; nary a second was wasted…
What struck me immediately after the podcast (and maybe I should think about this more before possibly making a fool out of myself):
If we are doing such a bad job and spending so much effort on Web 1.0 prevention mechanisms and techniques, and Web 2.0 is here with Web 3.0 on its way, why don’t we just say “screw it”, throw out all the Web 1.0 security stuff out the window, and focus all of our efforts at the data level, meaning architect and implement ALL of our applications using WS-*, SAML, SOA, Federated Identity, etc. ?