Security in a nutshell


Here’s an attempt to succintly describe why achieving security is difficult:


The engineer wants to implement a program P that allows users to perform action A.
The hacker looks at program P and wonders how can he use it to perform actions other than A.
The security guy wants to implement a program P that allows users to perform action A and only action A.


Some observations based on this description:


 – defining A precisely is harder than it may sound
 – it can be non-trivial to implement P so that it performs A
 – if P fails to accomplish A, it will likely accomplish something else than A
 – there is a cascading effect that increases the probability of not being able to achieve the security guy’s goal

Comments (0)