Re: Initial thoughts on technical design

From: Douglas W_dot_ Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Wed Jul 30 2003 - 17:58:16 CDT

> I disagree with Douglas here. I may well have missed aspects of the
> threat model, or have cryptographic weaknesses in my suggestion. But I
> strongly believe that this sort of design absolutely must come BEFORE
> you design code, data, and interfaces. Security isn't something to bolt
> on at the end; at least not if you do it right (i.e., not MS-style).

I wasn't saying you bolt it on at the end! I've always advocated
designing the first prototype with the intent that it be discarded!
Only after you figure out all the pieces you need can you figure out
the threat model you're defending against, and you generally can't
do that until you start writing code.

So, plan one to throw away, then, using that system as an external
spec, engineer the real system right, modularizing it correctly,
designing the real data formats, the proper security models, etc,
and then pushing through to an implementation.

The classic software engineering error is to design all the data
structures first, then write code that's structured around the data
you only learn is wrong after you've got a big system half built.
So, don't lock yourself in prematurely! Get that prototype done first,
using effective rapid prototyping methodology, and based on internal
data formats that are scaffolding, not the official final standard.

                        Doug Jones
Received on Wed, 30 Jul 2003 17:58:16 -0500

This archive was generated by hypermail 2.1.8 : Wed Aug 06 2003 - 12:50:26 CDT