A usable system has many layers. There is the end-users experience, such as web sites, interactive voice response systems, ATMs, etc. Below these interfaces are the tools and technologies to create and operate these systems. Security of deployed systems is often dependent on the usability of these underlying technologies. This paper focuses on usability issues surrounding the underlying security technologies and our attempts to transfer these into products.
Creating secure software systems is a challenge for most developers, architects, system administrators and others involved in the creation, deployment and operation of systems. Much of the software currently deployed, whether for departmental usage or cloud based software services, is increasingly built on top of complex software frameworks, middleware components, 3rd parties software and deployment configurations. Experience with securing composition of these software elements has had mixed results. Securing of such systems is often as complex, or more complex, than the applications themselves. We have seen this phenomenon in the deployment of Java-based systems and browser-based mashups. This paper will describe some of our experiences with securing such systems, and our attempts to deploy usable solutions to securing these systems.
By: Larry Koved
Published in: RC25003 in 2010
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .