- The Methodical Approach and the Need for a Methodology
- Firewalls, Security, and Risk Management
- How to Think About Risk Management
- Computer Security Principles
- Firewall Recommendations and Definitions
- Why Do I Need a Firewall?
- Do I Need More Than a Firewall?
- What Kinds of Firewalls Are There?
- The Myth of "Trustworthy" or "Secure" Software
- Know Your Vulnerabilities
- Creating Security Policies
- Training
- Defense in Depth
- Summary
The Myth of "Trustworthy" or "Secure" Software
The goal of building secure and more reliable software can never be under-appreciated or over-emphasized in our opinions. We want to see vendors produce better software, but we do recognize that wanting something is very different from having something, and too many promise what they can't deliver. As it is, software is going to have flaws because it's very hard to write bug free and infallible software, and software is written by imperfect people. That's not to just pick on software; hardware is equally plagued with these issues. Computer hardware and software are complex systems, ever more complex everyday, and market forces sometimes dictate whether or not security will be the product's primary focus, or even if security will be get any attention at all. After all, as we already said, "secure" is a subjective concept that differs from party to party. What the builder envisions as "secure" might not be the ultimate case for every user. With that said, if you want to manage the security of your systems, you need to start with the cardinal rule:
People are not perfect. People make the things we use. Therefore those things we use will not be perfect.
To be more succinct, your software and hardware probably have bugs in them. They probably have a lot of bugs. Prepare for that, no matter how great your software or hardware vendor is or what they might say about the security of their products or their track record.
It's best to look at your systems as the flawed, imperfect and insecure things they probably are. If you start with this assumption, the task at hand can seem daunting. But don't fear! You've made it this far in life, and real life is no more certain, perfect, or secure than the computing world is. In nature, there is no such thing as total security. That concept does not exist. There is only risk management. Sometimes you crawl out of your hole to seek food, and something else eats you; other times you stay in your hole and starve; and other times, most of the time, you leave your hole, you find food, purpose, enjoyment, and everything turns out fine. It's balancing those risks, threats, and rewards that defines life.
With computers it's no different. Sometimes you have to take greater risks with your Information Technology systems to reach a new customer, to link with an important vendor, or to simply operate your business. If you have systems attached to the Internet, then you are taking a risk.