[trustable-software] Fwd: Is 'safe + secure' equivalent to 'trustable', or a subset?
Paul Sherwood
paul.sherwood at codethink.co.uk
Wed Nov 30 10:20:07 UTC 2016
On 2016-11-30 09:20, trustable at panic.fluff.org wrote:
> The old Orange Book and Blue Book Trusted security criteria
>
> https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria
>
> are clearly about the behaviour of executing systems they are really
> not about the construction of such systems. I think for this community
> we are really interested in the provenance..
Some of us are interested in provenance for sure. But provenance alone
is not sufficient, unless our only objective is to point the finger of
blame when things go wrong.
I am mainly focusing on construction, though, i.e. how to improve the
activities and processes that lead to systems, not just the systems
themselves.
> Is perhaps the word we are looking to describe what is delivered for a
> system is provenance and not trustable or trusted ??
I started to think that a Venn diagram covering [secure, safe, mission
critical, trustable, trusted, provenance, reproducible, traceable,
connected] might help, but my attempts so far are not encouraging.
So I'm going to fall back to some (draft) logic versus our potential
term, which I'll call zzz for now. Additions/improvements/criticisms
welcome:
- For software to be zzz we need to know its provenance
- For software to be zzz we need to be clear about what it is supposed
to do, and be able to confirm that it does that and only that
- For software to be zzz we need to be able to re-build it from source
and expect that it still does what it did before
- Connected zzz software needs to be secure
- Some zzz software needs to be safe
- Mission critical software is normally zzz, but some zzz software is
not mission critical (because it may not conform to the norms of, or be
relevant to, users of that term)
- High integrity systems normally contain software which is zzz, but zzz
is required more generally than the common interpretation of the term
'high integrity' (maybe?)
I hope readers are not getting too bored/frustrated with this
philosophizing/bike-shedding [1].
Maybe I should just say 'I called it trustable in the initial
call-to-action. We now have the trustable,io domain and some
infrastructure. Let's get on with the work...'
br
Paul
[1] https://en.wikipedia.org/wiki/Law_of_triviality
More information about the trustable-software
mailing list