Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Engineering trustworthy systems: a principled approach to cybersecurity
Saydjari O.  Communications of the ACM 62 (6): 63-69, 2019. Type: Article
Date Reviewed: Nov 4 2019

In this article--an extract of his book on 223 security principles [1]--Saydjari discusses the ten “most fundamental” principles. Both the book and article are addressed to software engineers who want to build secure systems.

Cybersecurity technology is advancing too slowly to keep pace with threats, and system designers need principles in order to do a better job. My own experience analyzing recent attacks (Equifax, Uber, Sony, Capital One, and so on) shows that these attacks succeeded not because they were impossible to stop, but because management made the deliberate decision to not spend money and effort on protecting customer data. In fact, the attacks were very simple, but the systems were quite naked.

The proposed principles are all well known [2,3,4,5], which confirms that the problem is not a lack of cybersecurity knowledge but a failure to apply this knowledge. Even companies that develop security-critical systems such as Microsoft or Adobe don’t use the most advanced secure systems development methodologies, relying instead on secure coding and code analysis. While having a list of principles as a guide when building systems is better than nothing, I doubt that developers will be able to apply 223 principles without the support of a systematic methodology.

I have found that the use of security architectural patterns is an effective way to implicitly apply principles, and after surveying a variety of approaches to secure software design [6], I believe that model-based methodologies are the only hope to produce systems with a high level of security and that comply with privacy and other regulations. However, we first need government regulations that punish institutions that do not protect the data in their trust, as the European regulations do. Until that happens, cyberattacks will continue to succeed.

Reviewer:  E. B. Fernandez Review #: CR146758 (2006-0148)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
 
 
Security (K.6.m ... )
 
 
Systems Analysis And Design (K.6.1 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Security": Date
Behavioral cybersecurity: applications of personality psychology and computer science
Patterson W., Winston-Proctor C.,  CRC Press, Boca Raton, FL, 2019. 261 pp. Type: Book (978-1-138617-78-0)
Jun 21 2022
Application of big data for national security: a practitioner’s guide to emerging technologies
Akhgar B., Saathoff G., Arabnia H., Hill R., Staniforth A., Bayerl P.,  Butterworth-Heinemann, Waltham, MA, 2015. 316 pp. Type: Book (978-0-128019-67-2)
Sep 8 2016
Identity authentication based on keystroke latencies
Joyce R., Gupta G.  Communications of the ACM 33(2): 168-176, 1990. Type: Article
Sep 1 1990
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright © 2000-2022 ThinkLoud, Inc.
Terms of Use
| Privacy Policy