|
March 26th, 2019
Sure, you may know the Zen
of Python, aka 'import this'. But did you
know that you can also 'import cyber'?
The Zen of Infosec, by Jan Schaumann
Boring is better than clever.
Explicit is better than implicit.
Simple is better than complex.
Complex is better than complicated.
Fail closed is better than fail open.
Layers are better than bulwarks.
Usability counts.
Integrity without authenticity is rarely what you want.
Although confidentiality without authenticity may be ok.
Shamir's Three Laws still hold.
And Kerckhoff's Principle extends beyond pure crypto.
In the face of an audit, refuse the temptation to tick checkboxes.
Hanlon's Razor is sharp as ever.
Although that may not be obvious if you've been here for a while.
100% security is impossible.
Although raising the bar is often sufficient.
If the system is hard to explain, it's a bad idea.
If the system is easy to explain, it may be a good idea.
Threat models are one honking great idea -- let's do more of those!
March 26th, 2019
|