{"id":155,"date":"2014-01-20T17:23:13","date_gmt":"2014-01-20T17:23:13","guid":{"rendered":"http:\/\/cybersecurity.bellevue.edu\/?p=155"},"modified":"2014-01-20T17:23:13","modified_gmt":"2014-01-20T17:23:13","slug":"is-it-time-of-security-rating-of-software-and-systems","status":"publish","type":"post","link":"https:\/\/cybersecurity.bellevue.edu\/index.php\/2014\/01\/20\/is-it-time-of-security-rating-of-software-and-systems\/","title":{"rendered":"Is it time of Security Rating of Software and Systems?"},"content":{"rendered":"<p>One of the fundamental papers in the Information Security industry is \u201c<a href=\"http:\/\/www.cs.virginia.edu\/%7Eevans\/cs551\/saltzer\/\">The Protection of Information in Computer Systems<\/a>\u201d written by Jerome Saltzer and Michael Schoeder in the mid-1970s.\u00a0 This paper defines eight design principles to ensure the safety, security, and functionality of computer systems and applications.\u00a0 It\u2019s timeless as those principles still apply today. If you haven&#8217;t seen it yet, Adam Shostack of Emergent Chaos does a great job <a href=\"http:\/\/emergentchaos.com\/the-security-principles-of-saltzer-and-schroeder\" target=\"_blank\">in his blog <\/a>of explaining the <a href=\"http:\/\/www.cs.virginia.edu\/%7Eevans\/cs551\/saltzer\/\" target=\"_blank\">Saltzer and Schroeder Design Principles <\/a>and equating them to something almost everyone can understand: Security in Star Wars.<\/p>\n<p>One of the ideas that come out of it is the concept of &#8220;work factor&#8221; and the fire\/safety ratings on safes.\u00a0 Safes are classified by Underwriters Laboratory for their ability to protect their contents from both fire and burglars.\u00a0 It&#8217;s the degree of protection that safe will protect its contents. There are both construction and performance requirements.\u00a0 The former defines the minimum specifications for the container. The latter defines how long the safe must withstand a burglary attempt.\u00a0 You can read more about it here: <a href=\"http:\/\/www.maximumsecurity.com\/safes\/pc\/Burglary-Fire-Rating-Guide-d92.htm\" target=\"_blank\">http:\/\/www.maximumsecurity.com\/safes\/pc\/Burglary-Fire-Rating-Guide-d92.htm. <\/a><\/p>\n<p>This idea isn&#8217;t new.\u00a0A DARPA research report from 2001 presents it from a scientific standpoint: &#8220;<a href=\"http:\/\/www.csl.sri.com\/users\/bjwood\/nspw_wood_v1e.pdf\">Adversary Work Factor as a Metric for Information Assurance<\/a>.&#8221; In this paper, Schudel and Wood present the hypothesis, \u201cthat adversary work factor is a quantifiable metric that yields valuable insights into the relative strengths and weaknesses of modern complex information systems.\u201d The authors go on to develop an approach for observing and reporting adversary work factors for information systems.<\/p>\n<p>It\u2019s time we used the same approach in Cybersecurity. The UL rating system is a standard that&#8217;s long been in use in the physical world. Why not begin to follow it in the cyber world?\u00a0 The IT industry should consider creating construction and performance standards for all computer systems and applications.\u00a0An unbiased, standardized security work factor rating would allow consumers to understand the safety of an application or system to determine if it fits into their risk appetite.<\/p>\n<p>Why reinvent the wheel?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the fundamental papers in the Information Security industry is \u201cThe Protection of Information in Computer Systems\u201d written by Jerome Saltzer and Michael Schoeder in the mid-1970s.\u00a0 This paper defines eight design principles to ensure the safety, security, and functionality of computer systems and applications.\u00a0 It\u2019s timeless as those principles still apply today. If [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[32,3],"tags":[],"class_list":["post-155","post","type-post","status-publish","format-standard","hentry","category-concepts","category-security-management"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/posts\/155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/comments?post=155"}],"version-history":[{"count":2,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/posts\/155\/revisions"}],"predecessor-version":[{"id":157,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/posts\/155\/revisions\/157"}],"wp:attachment":[{"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/media?parent=155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/categories?post=155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/tags?post=155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}