Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Point-and-Shoot Security Design: Can We Build Better Tools for Developers?

: Türpe, Sven

Preprint urn:nbn:de:0011-n-2230544 (828 KByte PDF)
MD5 Fingerprint: 0afb35d4af7c29f68c814b7ba1220663
Created on: 9.1.2013

Association for Computing Machinery -ACM-:
NSPW '12, Workshop on New Security Paradigms. Proceedings
New York: ACM, 2012
ISBN: 978-1-4503-1794-8
Workshop on New Security Paradigms (NSPW) <2012, Bertinoro>
Conference Paper, Electronic Publication
Fraunhofer SIT ()
abstraction; adversary; epistemology; macroscopic security; philosophy; property degree; security engineering; security model; security properties; security tools; systematization; threat

Security property degrees systematize the angles from which one can discuss the security of a system. Microscopic properties characterize how specific actions affect parts of a system. Mesoscopic properties describe how the pursuit of an attack objective may affect the system and the attacker. Macroscopic properties represent the interaction of a threat environment with a system. Properties of different degrees are interdependent, but not in a simple and universal manner. Security design aims to control security properties, shaping them in a favorable way. Its objective is macroscopic control through design decisions on all three degrees. Design tools today occupy mostly the lower half of the property degree scale. A few macroscopic design aids exist but provide little guidance to engin eers. Security designers are thus in a similar situation as photographers, having to make fundamental design decisions without methodologies other than their private, homegrown approaches. This is essential for art but a deficiency in engineering. Standardized mechanization in point-and-shoot cameras helps inexpert photographers to a limited extent but can get in the way of the experienced and ambitious. Point-and-shoot security design, shorthand for current practice as well as a widely held expectation, may do the same to security engineers.