- Too many products are designed and implemented assuming that they need to guard against random failure rather than failure based on targeted malice. It isn’t enough just to make sure that you are safe from failures due to network outages and so forth. Systems have to be built to withstand attackers deliberately trying to cause harm.
- System designers and implementers often fail to properly characterize the threat against their systems. It is different to guard against a generalized threat where you just have to be more secure than the next guy (assuming attackers will move on to easier prey) and threats where you have to withstand attackers with a specific target in mind.
Both of these are crucial if you are looking to build systems that will withstand the environment in which they are deployed.
Also, Bruce Schneier reminded me of this resource: The Department of Homeland Security “Build Security In” website. Lots of good stuff there, including articles from Dr. Gary McGraw about Architectural Risk Analysis. Check it out.
dan _at_ denimgroup.com