Main Menu

Daily using/supporting

Get Firefox browser!
Get Thunderbird!
Get Opera browser!
Get The Gimp!
Get Inkscape!
Get LibreOffice!
Get Videolan!
Get Linux!
Get Mandriva!
Get Joomla!
Hacker Emblem

Popular Tags

Archives

Which topics would you like us to cover more?

Latest comments

Latest tweets

about 1 day ago Using REDIPS.drag to add drag and drop to your .Net webapplication #li #dib0 http://t.co/n8zY3s7d
about 7 days ago http://t.co/cknQcDbo #Kindle
about 15 days ago Freedom isn't the ability to choose what to do or say, but the ability to choose what not to do or say #freedom
about 29 days ago http://t.co/61KTQknI #Kindle
12 Apr 2012 Force the use of a networking adapter using C# #li #dib0 http://t.co/ZTJOPzOz
9 Apr 2012 http://t.co/k9yliR2t #Kindle
9 Apr 2012 Mandriva 2010.2 and USB devices in Virtualbox http://t.co/fwq9gbHB
9 Apr 2012 Execute a http request to you own site with PHP http://t.co/DIvWPrpd
Twitter
Prev Next
Home Architecture, security and coding Security in IT-projects: The Story of the Three Little Pigs
Security in IT-projects: The Story of the Three Little Pigs
Written by Division by Zero   
Tuesday, 08 November 2011 09:12

You'll probably know the story of the three little pigs and the big bad wolf (maybe just the Disney version, but the story is basically the same). The three pigs want to build a house in the woods to live in. In some versions of the story they are warned of the big bad wolf that's living in the woods. The first pig builds a house of straw, the second builds a house of wood and the third pig builds a house of stone. Of course the wolf comes and easily destroys the house made of straw (by huffing and puffing). Then the wolf destroys the wooden house, but the wolf is unable to break down the stone house. Eventually the wolf tries to enter through the chimney, but fails because the pig has lit a fire in the fireplace. Obviously there are some morals in this story. And at least one of them has to do with security. Let's look at the three houses build by the pigs, these houses symbolise the way we handle security in software development projects.

Straw house
The straw house is quick and easy to build and provides enough functionality. Requirements are met: you can live in it and the house provides shelter and isolation. Projects almost always seem to be under pressure. There is no time, no budget and the software must be able to do everything. Of course this is an exaggeration. If IT-specialists on the project have no knowledge of what security entails there will be no secure foundation and the choice of building materials will not be the right one for every situations. There is complete ignorance of the big bad wolf (until it shows up of course).

Wooden house
The wooden house is a project with IT-specialists that have some idea of security. They know there is a big bad wolf and that there is a probability that the wolf will pay a visit. But, there is no fundamental knowledge of what security entails. This means that some measures will be taken: wood is a firm building material. But the software doens't have a good fundamental secure base. Even though there is input validation and other measures, security as a way of thinking and testing isn't fundamentally understood, so the right principles aren't in place to provide a good foundation.

Brick house
Yes... this project will take up more time. It will need more skill: a foundation is needed and the bricks need cement. But after these building principles are applied the house will be solid. Furthermore all the gaps in the house are known functional gaps: doors, windows and the chimney. Because they are known security measures can be applied. Security in IT needs a good foundation. So you need the right skills to apply the right security principles at the right time and place. You also need to know the 'attack surface' of you application. Only this way you'll be able to mitigate the risks for you company.

Tags:

Related Articles
 

Comments  

 
+1 # Rem 2011-11-08 13:04
You forgot one type of house that I encountered again today. We have a point to point VPN tunnel between one of our servers and that of another institution. We need to call them ahead to have them open the VPN on their end so we can connect to the server we need to manage there. The problem is: we cannot get any files on or off this server in any way. Now, you could say this is a good security measure as no malicious data can be placed and no information can be stolen from the other party's network. But after a point to point VPN, call to open and a signed privacy statement, I think it's a bit overkill.

The actual wya of us getting data on the server is putting it up on an FTP site, one of their employees retrieves it and puts in on the server - without checking the contents!

I therefore move to add the 4th house: The Bricked-up House : www.moargoth.com/brickedup.jpg

~Rem
PS: You typo'd "Straw" house (it says "Stray")
Reply | Reply with quote | Quote
 
 
0 # Bas 2011-11-09 16:34
Thanks for the addition and the correction! The original story was about three pigs, so there wasn't a fourth house.

But you're right... the fourth would be an almost unbreakable fortress. So secure that it becomes unusable!

I believe that the third house mentioned should be the middle ground between security and functionality.
Reply | Reply with quote | Quote
 

Add comment


Security code
Refresh

If the human brain was simple enough for us to understand we'd be so simple we couldn't understand. - Unknown


© 2009 - 2012, Division by Zero

Template based on the empire template by joomlashack 

Valid XHTML 1.0 Strict  Valid CSS!  Creative Commons License
This work by Division by Zero is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Netherlands License.