Shostack + Friends Blog Archive


Hoff on AWS

Hoff’s blog post “Why Amazon Web Services (AWS) Is the Best Thing To Happen To Security & Why I Desperately Want It To Succeed” is great on a whole bunch of levels. If you haven’t read it, go do that.

The first thing I appreciated is that he directly confronts the possibility of his own confirmation bias.

The next thing I liked is that he’s not looking at just the technology, but the technology situated in a set of cultural assumptions.

Then he gets to the crux: “Either we learn to walk without them or simply not move forward.”

However, at the end, I get a little concerned he gets to a quote from Werner Vogels, “There‚Äôs no excuse not to use fine grained security to make your apps secure from the start.” Now, that’s a quote, embedded in a tweet, and so I’m going to feel a little safer in raising issues, because I can honestly say that I hope there’s some additional context there.

The reason to not only rely on fine grained security is that fine-grained security is hard to get right. It’s hard to conceptualize, it’s hard to implement well, and it’s hard to test. I’d love to hear more on the context (from either Hoff, Werner, or someone who was in the talk) on what else gets embedded and built to offer up defense in depth.

Me, I’d like to see evidence: do how do apps fare with different design philosophies? Let’s say group A are apps that get built with fine grained security from the start, and group B are apps built with a firewall assumption, and group C is things developed by a team that’s been using a modern security development lifecycle for more than a year. How does A do compared to each? (Pssst! Looking at you, Jeremiah!) There’s of course other comparisons we could run, but what’s important is that we look to data, rather than the opinions of well-regarded folks.

[Update: Jeremiah responded, “please better define “modern security development lifecycle” and “fine grained security” and I’ll go find out,” which I suppose puts the ball in my court. Modern SDL is relatively easy–is the organization using either the “Microsoft SDL Optimization Model” or the BSIMM to evaluate their development activities? Fine grained security is harder for me to provide a “survey question” for. Perhaps “does your app have a security kernel that performs authorization tests?” or “does your app support a policy language to control authorization activity?”

I would love your thoughts on how to make surveyable propositions about things the survey participants should know about. ]