Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Engineering trustworthy systems: a principled approach to cybersecurity
Saydjari O. Communications of the ACM62 (6):63-69,2019.Type:Article
Date Reviewed: Nov 4 2019

In this article--an extract of his book on 223 security principles [1]--Saydjari discusses the ten “most fundamental” principles. Both the book and article are addressed to software engineers who want to build secure systems.

Cybersecurity technology is advancing too slowly to keep pace with threats, and system designers need principles in order to do a better job. My own experience analyzing recent attacks (Equifax, Uber, Sony, Capital One, and so on) shows that these attacks succeeded not because they were impossible to stop, but because management made the deliberate decision to not spend money and effort on protecting customer data. In fact, the attacks were very simple, but the systems were quite naked.

The proposed principles are all well known [2,3,4,5], which confirms that the problem is not a lack of cybersecurity knowledge but a failure to apply this knowledge. Even companies that develop security-critical systems such as Microsoft or Adobe don’t use the most advanced secure systems development methodologies, relying instead on secure coding and code analysis. While having a list of principles as a guide when building systems is better than nothing, I doubt that developers will be able to apply 223 principles without the support of a systematic methodology.

I have found that the use of security architectural patterns is an effective way to implicitly apply principles, and after surveying a variety of approaches to secure software design [6], I believe that model-based methodologies are the only hope to produce systems with a high level of security and that comply with privacy and other regulations. However, we first need government regulations that punish institutions that do not protect the data in their trust, as the European regulations do. Until that happens, cyberattacks will continue to succeed.

Reviewer:  E. B. Fernandez Review #: CR146758 (2006-0148)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
Would you recommend this review?
Other reviews under "Security": Date
Security in computing
Pfleeger C., Prentice-Hall, Inc., Upper Saddle River, NJ, 1989. Type: Book (9780137989430)
Aug 1 1989
Building a secure computer system
Gasser M., Van Nostrand Reinhold Co., New York, NY, 1988. Type: Book (9780442230227)
Aug 1 1989
Auditing computer security: a manual with case studies
Vallabhaneni S., John Wiley & Sons, Inc., New York, NY, 1989. Type: Book (9780471626046)
Jul 1 1990

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 2004™
Terms of Use
| Privacy Policy