[SystemSafety] Making Standards available .....

Fri May 13 04:34:26 CEST 2016

> Specifically on security, I found this to be a good resource:

I use Mitre's Common Attack Pattern Enumeration and Classification
(CAPEC).  It is actively maintained, well organized, and has broad
applicability:

https://capec.mitre.org/

For a starting point that is less scary, there are the 20 CIS Critical
Security Controls:

https://www.sans.org/critical-security-controls

An even shorter list is IEEE's "don't do these 10 stupid things"

https://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf

For the serious attention deficit sufferers, there's NSA's and
Australian Defense top 4:

http://csis.org/files/publication/130212_Lewis_RaisingBarCybersecurity.pdf
(bottom of page 7)

A thoroughly entertaining read is Ross Anderson's _Security Engineering_
book.  However, it's more about stories of poor design practices, less
about actual engineering.

-TC

On 5/12/2016 7:57 PM, Steve Tockey wrote:
> Les,
> Specifically on security, I found this to be a good resource:
>
>
> WASC Threat Classification, Version 2.0, Web Applications Security
> Consortium, Jan, 2010.
>
> http://www.webappsec.org and
> http://projects.webappsec.org/w/page/13246978/Threat%20Classification
>
> It's the Web Apps Security Consortium's "Threat Catalog". It talks about
> recognized security threat vectors commonly used against web applications.
> Some of the threat vectors are web specific, but many are not.
>
>
> Cheers,
>
> -- steve 
>
>
>
>
>
> -----Original Message-----
> From: systemsafety <systemsafety-bounces at lists.techfak.uni-bielefeld.de>
> on behalf of Les Chambers <les at chambers.com.au>
> Date: Thursday, May 12, 2016 4:27 PM
> To: 'Peter Bernard Ladkin' <ladkin at rvs.uni-bielefeld.de>,
> "systemsafety at lists.techfak.uni-bielefeld.de"
> <systemsafety at lists.techfak.uni-bielefeld.de>
> Subject: Re: [SystemSafety] Making Standards available .....
>
> Oh and I forgot. Head of School mentioned they were thinking about security
> as a subject area. So if we could possibly integrate security and safety it
> might make it more attractive. Some of the life cycle practices are pretty
> similar, I think.
>
> -----Original Message-----
> From: systemsafety
> [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
> Peter Bernard Ladkin
> Sent: Thursday, May 12, 2016 1:45 PM
> To: systemsafety at lists.techfak.uni-bielefeld.de
> Subject: Re: [SystemSafety] Making Standards available .....
>
> On 2016-05-12 00:49 , Les Chambers wrote:
>> Some information has such societal benefit that it must be free.
> That's likely so, but I am not sure for a number of reasons that IEC 61508
> quite falls into that category. The phrase does capture, though, an
> anomalous situation which is not yet recognised by everyone on this list. I
> am gratified increasingly to see others such as Les and Thomas grasping the
> nettle firmly.
>
> I don't think the issue will go away. And I don't think it should go away.
>
> There is a document purporting to represent the state of the practice in
> the
> development of the E/E/PE parts of safety-critical systems. Nowadays, that
> is pretty much all safety-critical engineered systems.
>
> Getting safety-critical systems right is, um, critical. By which I mean
> socially critical. We have enough people ploughing their cars into groups
> of
> pedestrians that we don't need the cars to do it by themselves. Not to
> speak
> of what happens when Fukushima Daichi NPP floods.
>
> This document is of international legal significance. In many countries, it
> represents the touchstone for whether you are criminally prosecuted for a
> programmable-electrotechnical system failure which caused injury or death.
> In at least those countries, it also represents the criteria under which
> you
> (or your company) may be convicted by a court for unlawful killing.
>
> Pretty serious stuff. You'd think it would be a basic part of the education
> of any electrotechnical engineer. But it's not. The main reason is that
> most
> engineers and engineering professors, and pretty much all students, can't
> get hold of it.
>
> That is a fact which some people here are apparently unwilling to concede.
> They say: You can buy it (it'll only cost you a quarter of a new car). Your
> company can buy it. It's in the library. If it's not in the library, it's
> in
> one a train ride away. It's there. Make the effort.
>
> We could test the practicality of this suggestion easily. Let me propose
> the
> following game to someone who does not now have access to a copy either on
> hisher bookshelf or computer or through the company. I give out a clause
> number. You get a week to say here what that clause says. I'll give out
> numbers at the rate of one a day. Let's see how long this game lasts. I
> would guess not long enough for this list to violate copyright in any
> substantial way. [1]
>
> It is a basic principle in many countries that the law of the land is
> available in source to its citizens, either freely or at a nominal charge.
> Some would say that that is a basic principle of democracy (although not
> all
> countries are democratic, most like to claim that they are; it's seen as a
> Good Thing for rulers to have The People's Backing). Because of its status
> as a touchstone for prosecutions, IEC 61508 is one step removed from being
> a
> de facto law [2].
>
> Not all standards are alike. IEC 61508 is not like a standard for
> electrical-system sockets in buildings or for the plugs that fit them. The
> device itself is all you need to be able to check if it conforms, a
> phenomenon validated by business travelers the world over on a daily basis.
> But to check if kit conforms to IEC 61508 is a specialist professional
> skill
> which costs great expense to exercise. And, unlike plugs, retroactive
> conformance is all but impossible to ascertain.
>
> This situation is deliberately maintained by an elite. I am part of that
> elite. I am a volunteer worker on that standard. I'm very lucky. Germany
> basically lets anyone with appropriate technical background and sufficient
> motivation participate as a guest in standards committees. Thereby I have
> free personal access to what must amount by now to a six-figure-sum of
> intellectual property [3] [4] [5]. Most countries don't have comparable
> arrangements, and I didn't know about any of this when I chose to come here
> over two decades ago. Most professional engineers don't have such
> opportunity.
>
> People who are part of the elite don't think of themselves as such. I talk
> about matters concerning IEC 61508 with other members of the elite many
> times a week. It's like talking about the weather, our kid's schooling or
> suchlike. We all share the privilege. Such conversations are difficult to
> impossible on this list because most people don't have access. That is,
> access to the document which is supposedly the foundation of the
> professional activity of almost everyone here (except the aerospace,
> automotive and medical people).
>
> There is also the issue of technical quality. Quality through obscurity is
> about as effective as its companion, security through obscurity [6].
>
> The key questions are thus. Is this what we think is the best way to
> determine and exercise engineering best practice on system safety? If not,
> how can we improve it?
>
> PBL
>
> Footnotes
>
> [1] Let's also compare this game with that knowledge represented, say, by
> Bedford and Cooke's text on Probabilistic Risk Analysis or Birolini's text
> on Reliability Engineering. I'll give out a section number. You quote me
> the
> first two sentences of that section. That game, in contrast, would be
> pointless.
>
> [2] Its rail equivalents, CENELEC 50128 and 50129, actually are law in
> Germany.
>
> [3] And which, I assure German taxpayers, does get passed on to students
> who
> take our uni courses.
> Which will end, after fifteen years, probably permanently, in two months
> time. Some of those students and former students have contributed to the
> standardisation process in return. Thank you Chris Goeker, Hauke Kaufhold,
> Jan Sanders, Tim Schürmann and Bernd Sieker!
>
> [4] A data point. We once gave technical advice on a very specific piece of
> relatively simple, and small, physical kit which had gone wrong. Just
> obtaining the standards pertaining to that specific kit, its use,
> installation and maintenance, cost our clients a five-figure amount.
>
> [5] It is well protected. There is a blue folder which says I shall not
> give
> it to third parties, to whose conditions I have legally committed myself.
>
> [6] There are notable exceptions. William Kahan won the Turing Award for,
> amongst other things, his technical contributions to the IEEE standard 754
> on floating-point arithmetic for microprocessors ( See for example
> http://scholar.google.de/scholar_url?url=http://i-n-d-e-p-t-h.googlecode.co
> m
> /files/IEEE754.pdf&hl=de&sa=X&scisig=AAGBfm3ZeM2pqTnY4wkwL68WLh_miz2U9Q&nos
> s
> l=1&oi=scholarr&ved=0ahUKEwiH8uWdu9PMAhVJ2hoKHSeXCa4QgAMIKigCMAA
>   ). This standard, negotiated in committee during the 1970's by my
> grad-school pal Jerry Coonen who got his PhD for this work with Kahan, is
> of
> the very highest technical quality, as acknowledged clearly through
> Coonen's
> PhD with the then-leading math department in the world, and Kahan's award.
> That was my introduction to engineering standards. Nothing else has quite
> lived up......
>
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld,
> 33594 Bielefeld, Germany Je suis Charlie
> Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de
>
>
>
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20160512/68415daf/attachment.html>