Shostack + Friends Blog Archive


More on Snow's Assurance Paper

This is a followup to Gunnar Peterson’s comments on “Epstein, Snow and Flake: Three Views of Software Security.” His comments are in an update to the original post, “The Road to Assurance:”

None of these views, by themselves are adequate. The combination of horizontal and vertical views is what yields the most accurate picture. Obviously, iteration is the only way to work towards that. Adam’s brilliant suggestion? OODA Loops.

I think there’s some misunderstanding here. First, I don’t understand what Gunnar means by ‘horizontal’ and ‘vertical’ views. Secondly, I’m not actually suggesting OODA loops as a means of advancing. Being intelligent about our choice of things to observe and how to interpret our observations is essential, and much harder than it seems.

A project I’m working on has an aspect I call “the jell-o slicing problem.” That is, there are lots of valid ways to slice jell-o. None of them are obviously more valid than all the others, but many of them are obviously more valid than some others. Some of the original project descriptions were broad and aspired to really great things. Things that we’ve been meaning to get to for quite some time.
Choosing what to observe and how to measure those observations is causing us much grief.

I think there is probably a simple set of things that we can look at to increase assurance. I think most people probably think so, and when we start digging in, in forums like “build security in” and the NIST/DHS SAMATE project, we realize just how divergent, chaotic, and different our views are.

As I finished this, I see that Gunnar has another article, “Assurance Techniques Review.” I’ll respond in a bit.

2 comments on "More on Snow's Assurance Paper"

  • Jason Haley says:

    Interesting Finds

  • Gunnar says:

    In system design, I tend to think of things in terms of horizonal and vertical domains. In a vertical domain there is a specific body of knowledge (and frequently a language) that requires decomposition, isolation, and analysis to deal. Horizontal concerns cut across the system and these require synthesis, pattern recognition, and relationships across the disparate domains. So a simple case would be a three tier architecture, web server-app server – database server. Each server is its own vertical slice (note that within each vertical slice there may be nested horizontal and vertical slices, recursion is nice that way), the transaction (at runtime) however follows a horizontal path that cuts across all of these elements, and does nto necessarily care about the linuga franca in each specific domain, only what it needs to process the tx.

Comments are closed.