AccessMyLibrary provides FREE access to over 30 million articles from top publications available through your library.

TRUST (AND MISTRUST) IN SECURE APPLICATIONS.(Industry Trend or Event)

Communications of the ACM

| February 01, 2001 | Viega, John; Kohno, Tadayoshi; Potter, Bruce | COPYRIGHT 2001 Association for Computing Machinery, Inc. This material is published under license from the publisher through the Gale Group, Farmington Hills, Michigan.  All inquiries regarding rights should be directed to the Gale Group. (Hide copyright information)Copyright

Exploring and considering trust assumptions during every stage of software development.

TRUST AND TRUSTWORTHINESS are the foundations of security. Homeowners trust lock manufacturers to create quality locks to protect their homes. Some locks are trustworthy; others are not. Businesses trust security guards to admit only authorized personnel into sensitive areas. Some security guards should be trusted; some should not. CGI programmers trust users to provide valid inputs to the data fields on Web pages. Although most users can be trusted, some cannot. The basis for these trust relationships and how they are formed can dramatically affect the underlying security of any system--be it home protection or online privacy.

Because these trust assumptions are often illusive, software development efforts seldom handle these assumptions correctly. Several common ways in which erroneous trust assumptions in software applications can wreak havoc on the security of those applications are explored here. We consider the common trust assumptions and why they are often wrong, how these trust assumptions can arise during an application's development process, and how to minimize the number of problematic trust assumptions in an application.

A trust relationship is a relationship involving multiple entities (such as companies, people, or software components). Entities in a relationship trust each other to have or not have certain properties (the so-called trust assumptions). If the trusted entities satisfy these properties, then they are trustworthy. Unfortunately, because these properties are seldom explicitly defined, misguided trust relationships in software applications are not uncommon.

Software developers have trust relationships during every stage of software development. Before a software project is conceived, there are business and personal trust relationships that developers generally assume will not be abused. For example, many corporations trust that their employees will not attack the information systems of the company. Because of this trust, a company might have a software application talking to a database over the company's network without the aid of encryption and authentication. Employees could easily abuse the lack of security to convince database applications to run phony updates. Companies usually trust their software developers and assume their developers will not leave back doors or other artifacts in their code that could potentially compromise the security of the system.

System architects must constantly deal with trust issues during an application's design cycle. Proprietary design documents and other data are often communicated over channels that should not be trusted (such as the Internet); the developer must weigh his or her trust in the people who might have access to this data, along with the potential consequences of those people abusing that trust.

Often, designers make trust decisions without realizing that trust is actually an issue. For example, it is common for a client application to establish an encrypted session with an application server using a hard-coded symmetric cryptographic key embedded in the client binary. In such a situation, many developers fail to realize they are implicitly trusting users (and potential attackers) not to reverse-engineer the software.

Related articles from newspapers, magazines, journals, and more
TrustDesk Further Enhances Trust Relationships.
Press release article from: PR Newswire September 21, 1998 700+ words
MILWAUKEE, Sept. 21 /PRNewswire/ -- M&I Data Services, a leader in trust workstation technology, has announced its general release of TrustDesk(TM) for Windows(TM). TrustDesk provides trust administrators and investment professionals with easy access to customer and asset information in
In M & D we trust. (Relationships).(teenagers trust parents most)
Magazine article from: Scholastic Choices May 1, 2002 700+ words
As a teen, you may not get along with your parents. But guess what? Chances are you trust your parents a whole lot more than you might be willing to admit. In a recent survey conducted by the PBS program ZOOM, 10,000 kids were asked whom they trusted. A total of 86 percent said they believe their
Identity management to drive security integration: building identity-based...
Magazine article from: Platform July 1, 2006 700+ words
Speaking at the association's conference, held in Barcelona on 15 and 16 June, Goodman said that the building blocks for this complex network of digital identity relationships comprise a mix of systems, applications and technologies. These include, among others: enterprise identity management;
How to extend your network to your partners without risking your crown jewels;...
Magazine article from: Network World Kearns, Dave June 28, 2006 700+ words
...access meant extending trust relationships from one forest to another...weren't happy extending trust relationships from one domain to another...most Microsoft-style trust relationships is that they're all...
Research and Markets: Evaluation of current trust and reputation systems as...
Press release article from: Business Wire June 1, 2006 700+ words
...clarifies the concepts of Trust, Trust Relationships, Trustworthiness, Trustworthiness...and methodologies of establishing Trust Relationships, to help the reader solve problems...world of e-business. By building trust relationships and establishing trustworthiness...
Negotiation. Your most powerful business tool. With over thirty years of...
Magazine article from: Purchasing August 14, 2003 700+ words
...You Can Negotiate Specification * How To Get More Information * Who Talks Too Much? * Better Questions For You * Don't Trust Assumptions * Cost Break-downs--Yes or No? * How To Make A Concession * Personal Negotiating * Negotiating an Organization...
Negotiation. Your most powerful business tool.
Magazine article from: Purchasing July 17, 2003 700+ words
...Can Negotiate Specifications * How To Get More Information * Who Talks Too Much? * Better Questions For You * Don't Trust Assumptions * Cost Break-downs -- Yes or No? * How To Make A Concession * Personal Negotiating * Negotiating an Organization...
BBC Monitoring quotes from Indonesian press 19 Dec 06.
Newspaper article from: BBC Monitoring International Reports December 19, 2006 700+ words
...the government must re-evaluate the concepts of the rice policy nationally... The government should never trust assumptions, but must require proof from the field..." (Editorial) (19) Sources: As listed BBC Monitoring
Editorial Pointers.(Editorial)
Magazine article from: Communications of the ACM Crawford, Diane February 1, 2001 700+ words
...include access policies and restrictions, network confidentiality, content integrity, compromised software apps, and trust assumptions. The next section, Intellectual Property for an Information Age, illustrates the challenges in creating a delicate balance...
Undocumented Network Hides Vulnerabilities.
Magazine article from: Computerworld Thurman, Mathias July 30, 2001 700+ words
...which I could then use to determine trust relationships among the Windows NT servers. A...of the rules, restrictions and trust relationships among those machines. In the end...also be useful in determining the trust relationships or lack thereof among servers...
For more facts and information, see all results
©2009 Gale, a part of Cengage Learning. All rights reserved.
About us | FAQs | Contact us | Privacy policy | Terms and conditions
Other Gale sites: Encyclopedia.com | HighBeam Research | Acquire Content | Books & Authors | Goliath | MovieRetriever | Smart QandA