[E-Lang] Re: Defense in depth

Jonathan S. Shapiro shap@eros-os.org
Wed, 24 Jan 2001 14:20:57 -0500

> Where do I go next for general reading on designs for
> multi-user access control systems?

I'm sorry that I have no useful pointers. You have identified what I think
is a serious hole in the literature. I do suspect, however, that XML will
prove to be part of the problem rather than part of the solution. Security
for XML applications is only now being seriously considered in the XML
community, with the predictable result that it's pretty much a bolt-on
afterthought (i.e. it will never work right). Historically, I think that
this devolves from the early document-centric view of XML. Security only
became really relevant when XML became a language for data interchange and
specification, which was relatively late in the game.

> I've had thoughts about making a case to management for
> getting some sort of application security consultant in to review our
> design.  Is this done?  Are there people who consult on this sort of
> thing regularly

Yes and yes. This is one of the things that the Johns Hopkins Information
Security Institute will do, but we're not really geared up yet. Let's take
this discussion offline and I may be able to provide useful pointers to