the cost of complexity (was: Re: [E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins))
zooko@mad-scientist.com
zooko@mad-scientist.com
Wed, 24 Jan 2001 07:18:23 -0800
Hello daw, e-lang.
daw wrote:
>
> You seem to suggest that we have a decision to make between defense in
> depth with imperfect defenses or a single but perfect line of defense.
> But that's not the choice we are given today. If you start from the
> premise that all of our defenses are imperfect---and this seems to be
> hard to dispute---then it seems that adding multiple redundant lines of
> defense can't hurt and can only help.
Don't neglect the cost of complexity! Surely you agree that confused
designers/implementors/maintainers/users are the cause of most current
vulnerabilities in information systems?
So multiple redundant lines of defense can't hurt and can only help,
provided that deploying, maintaining, and operating them doesn't confuse
us more. If a simpler security model (a la capabilities) *is* actually
easier to "keep straight" in our heads, then that would be an important
win.
Regards,
Zooko
Journeyman Software Engineer