I think it’s about time that we document security for calculators. No, I’m not talking about the cherished TI-35 that I’ve got buried in a drawer somewhere. I’m talking about the machine I’m working on and its brethren. I’m also not talking about documenting the security of calculators. Security for calculators. That is, security documentation that can be understood and processed by computers as well as people.
Let’s face it; if it wasn’t for people, then we wouldn’t be having all of these information security problems. The InfoSec world continues to get more and more complex, and yet for the most part, people are required to process all this complex data. Let’s look at a couple of specific examples.
First are the IP Services and ports that are required to support an application. Often this traffic must pass through a firewall or NAT (or both) and often there are issues around that. Currently if this is documented at all, then it is a poorly formatted list of TCP/UDP ports and possibly end points. Some expensive firewall engineer has to look at those, determine if there are any security issues with them, and then correctly translate them into the format the firewall understands. Anomaly IDS sensors have to learn the application flows, because no one can take the time to tell it what they should be. Etc.
The effort to load firewalls and other security devices could be reduced substantially by having some XML schema for documenting the IP services in use. Security is only as good as the knowledge about the application in question. Having such standards would substantially enhance the ability to know what was going on within an application.
A second area is within RFC standards. Currently, if there is a security section at all, it again must be parsed by a human. Does a service provide its own authentication? What controls are available within the service? What are the expectations, dependencies etc? Even having the packet schema in XML would help a lot in developing parsers for new protocols. I’ll probably need to explain this in more detail this, but that will have come later.
Ultimately security is too important to leave up to us humans, but we’re never going to get computers to do it well if we can’t put things in terms that they can understand. We have the tools, XML, various standards bodies, etc. We just need to start using them.