Information Technology Reference
In-Depth Information
So I believe vendors should be obligated to work with their customers to provide security patches and
enhancements, but should not be given the ability to keep the systems up-to-date unless the customer
asks for it. Vendors should also provide better configuration interfaces, and default configurations, that
are easy to set up and change, as well as (free) support to help customers use them.
Do you expect personal computers a decade from now to be more secure than they are
today?
In some ways yes, and in other ways no. I expect that they will provide more security services that
can be configured to make the systems more secure in various environments—not all environments,
though! I also expect that the main problem for securing systems will be configuration, operation, and
maintenance, though, and those problems will not be overcome in a decade, because they are primarily
people problems and not technical problems.
What advice can you offer studentswho are seriously interested in creating secure software
systems?
Focus on all aspects of the software system. Identify the specific requirements that the software system
is to solve, develop a security policy that the software system is to meet (and that will meet the
requirements), design and implement the software correctly, and consider the environment in which
it will be used when you do all this. Also, make the software system as easy to install and configure as
possible, and plan that the users will make errors. People aren't perfect, and any security that depends
upon them doing everything correctly will ultimately fail.
