Visualizing the Yin and Yang of Information Security

Blog post : www.foo.be/cgi-bin/wiki.pl/2009-07-31-The_Yin_and_Yang_Of...

Visualizing the Yin and Yang of Information Security. Working in the information security field, I had some difficulties to explain the equilibrium I tried to reach. Stuck (again) in a traffic jam, I quickly drew the following three circles representing the three kind of "information security" approach. I somehow work in the three circles and often trying to reconcile the three with some failures but also some success.

Being in the centre is very hard, you have to balance between proper implementation (the creation part), proper implementation against "deconstruction"/attacks while keeping an eye on the scientific input.

In the chapter 46 of the "Myths of Security", John Viega is nicely explaining when you are just in the academic hacking circle without going close to the two other circles. You are doing academic novelty that no one can use, implement and attack. So the impact of your academic research is only the academic circle and nothing else.

When Linus Torvalds is stating "we should not glorify security monkey", this is the classical behaviour of staying in the "de constructing" circle without trying to find something creative and/or academic to solve the security issue.

When Wietse Venema is explaining that you should write small independent without modifying existing program to not affect the integrity of the others program, it's when you are creating a new software without taking into account the "de constructing" attacks on your software or the scientific background to make your software with a good level of formal correctness.

I'm the first to make the mistake to be contained in a single circle but you must force yourself to touch the two other circles in some ways. Information security is difficult but this equilibrium (academic, creativity and deconstruction) is difficult to reach. When you are close to reach to it, this is really a great moment...