https://gidley.co.uk/tags/attack-trees/ Recent content in Attack-Trees on Gidley's Gossipings Hugo en Sat, 28 Jan 2017 17:00:36 +0000 https://gidley.co.uk/post/computers-are-complex/ Sat, 28 Jan 2017 17:00:36 +0000 https://gidley.co.uk/post/computers-are-complex/ <p>Computer systems are complex, and the complexity has been at the point for quite a few years now it&rsquo;s impossible for any one person to understand &rsquo;everything&rsquo; about any given system. There will often be people with a good understanding the &lsquo;building blocks&rsquo; but it&rsquo;s pretty much impossible to understand all the detail of the code, libaries and platforms it depends on.</p> <p>Complexity has massive implications for the security of computer systems. If no-one understands a system how can you have any surity that it&rsquo;s secure? The developers of the system will have tried to design for &lsquo;known&rsquo; security issues, and tried to assemble the &lsquo;building blocks&rsquo; in such a way they are secure but as they aren&rsquo;t full understood it&rsquo;s highly likely there will be some issues. This is not just an academic claim - if we simply look at the &lsquo;security patchs&rsquo; for major building block components like Java, .NET, Windows, Linux - all of which have regular security issues that could compromize any systems built on them. On top of the building blocks, even in a mid size dev team, you will have a mixture of skills and abilities in the team and even with &lsquo;2 person reviews&rsquo; security bugs do get through. Add in that many systems depend on services supplied by other companies - things like SaaS, hosting, ISP&rsquo;s, Certificate Authorities and DNS - any or all of which are critical for security.</p>