Chapter 25 Managing the Development of Secure Systems

《Chapter 25 Managing the Development of Secure Systems》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、CHAPTER25ManagingtheDevelopmentofSecureSystemsMyownexperienceisthatdeveloperswithaclean,expressivesetofspecificsecurityrequirementscanbuildaverytightmachine.Theydon’thavetobesecuritygurus,buttheyhavetounderstandwhatthey’retryingtobuildandhowitshouldwork.—RickSmithOneofthemostimp

2、ortantproblemswefacetoday,astechniquesandsystemsbecomemoreandmorepervasive,istheriskofmissingthatfine,humanpointthatmaywellmakethedifferencebetweensuccessandfailure,fairandunfair,rightandwrong...noIBMcomputerhasaneducationinthehumanities.—TomWatsonManagementisthatforwhichthereis

3、noalgorithm.Wherethereisanalgorithm,it’sadministration.—RogerNeedham25.1IntroductionSofarwevediscussedagreatvarietyofsecurityapplications,techniquesandconcerns.IfyoureaworkingITmanagerorconsultant,paidtobuildasecuresystem,youwillbynowbelookingforasystematicwaytoselectprotection

4、aimsandmechanisms.Thisbringsustothetopicsofsystemengineering,riskanalysisand,finally,thesecretsauce:howyoumanageateamtowritesecurecode.Businessschoolsreckonthatmanagementtrainingshouldbeconductedlargelythroughcasehistories,stiffenedwithfocussedcoursesonbasictopicssuchaslaw,econo

5、micsandaccounting.Ihavebroadlyfollowedtheirmodelinthisbook.Wewentoverthefundamentals,suchasprotocols,accesscontrol815816Chapter25■ManagingtheDevelopmentofSecureSystemsandcrypto,andthenlookedatalotofdifferentapplicationswithalotofcasehistories.Nowwehavetopullthethreadstogetheran

6、ddiscusshowtogoaboutsolv-ingageneralsecurityengineeringproblem.Organizationalissuesmatterhereaswellastechnicalones.Itsimportanttounderstandthecapabilitiesofthestaffwholloperateyourcontrolsystems,suchasguardsandauditors,totakeaccountofthemanagerialandwork-grouppressuresonthem,an

7、dgetfeed-backfromthemasthesystemevolves.Youalsohavetoinstilsuitablewaysofthinkingandworkingintoyourdevelopmentteam.Successisaboutattitudesandworkpracticesaswellasskills.Therearetensions:howdoyougetpeopletothinklikecriminals,yetworkenthusiasticallyforthegoodoftheproduct?25.2Mana

8、gingaSecurityProjectThehardestpartoftheprojectmanagers