Loading ...
Sorry, an error occurred while loading the content.
 

Developing a secure link

Expand Messages
  • Angus Mezick
    Right now I am designing a security protocol for transmitting financial transactions over the internet. This is something where the design of the item really
    Message 1 of 35 , Apr 30, 2001
      Right now I am designing a security protocol for transmitting financial
      transactions over the internet. This is something where the design of the
      item really has to be thought through and closely examined for holes. I
      was wondering how something like this could be developed using XP and where
      in the process it would fit? Somewhere in the stories? Or when the
      developers create tasks? Or generated using spikes? If we get this wrong,
      we get in BIG trouble. (Your accounts numbers out there for all to see.)
      --Angus
      P.S. I had no idea that a question about MVC could go so far :)
    • wecaputo@thoughtworks.com
      ... if_ ... assurance ... or ... small ... Nicely put Bill. IMHO *how* this mechanism allows us to treat the code as exactly right is though the
      Message 35 of 35 , May 7 7:15 AM
        William Wake:

        >'Relentless testing' is more a mechanism that lets us treat the code _as
        if_
        >it is exactly right (knowing deep down that it might not be). Our
        assurance
        >is only as good as our ability to generate test cases. And when there are
        >cases where that assurance isn't enough (ala Cockburn's 'essential money'
        or
        >'life critical'), we may need other mechanisms. Even then, there is a
        small
        >voice of doubt (nothing is for sure, as the history of security mechanisms

        >shows).

        Nicely put Bill. IMHO *how* this mechanism allows us to treat the code as
        'exactly right' is though the precise,objective, a priori specification of
        these tests as an input into development (acceptance tests) so we can
        'know' when (if) the code works to the appropriate level of silencing
        doubt.

        As someone else in the thread pointed out, running tests for known exploits
        might go a long way toward verifying the system works. Having a security
        expert acting as the test definer couldn't hurt either. When a hole is
        found after release (and there will be some) writing a test to illuminate
        the defect ensures it never rears its ugly head again.
        It all comes down to tests as input into development (upstream) vs tests to
        verify that development was done (downstream). Same tests, same rigorous
        approach, different order.

        >We're back to Dijkstra's "Testing can show the presence of bugs, but never

        >their absence."

        That quote makes it clear why security can never be absolute. to rephrase:
        "Testing can show the presecne of security holes, but never their absence."
        -- or something like that ;-)

        Best,
        Bill
      Your message has been successfully submitted and would be delivered to recipients shortly.