27th episode of The Silver Bullet Security Podcast.
Interview with Gunnar Peterson
service-oriented arch SOA
security is really risk management
in web 2.0 world, we're going to have mashup - data coming from all kinds of source - and we're going to mash them up with a nice little Ajax screen inside of a browser, whicn will all work together at run time.
Butler Lampson calls the gold standard of information security:
authentication, authorization, auditing
it's called the gold standard because they all start with Au
Security ppl whine that we havent even secure Web 1.0 appl yet, and now we're moving to Web 3.0.... Look at OWASP (Open Web Appl Security Project), how much that is actually being implemented in the real world... it tells you all you need to know about the gaps in Web 1.0.
the idea behind federated identity is the technical solution that maps directly to the way almost every single business actually does business in the real world
federated identity approach says that it's the relationship between an identity provided and a service provider - through message-level security - to sign and encrypt our credentials, pass them across a potentiall untrusted system, and do business together.
that's how your mortage gets processed,
that's why you can use an ATM machine in the Bahamas or Norway
M$ is the leader of web 2.0
another leader Ping Identity
Alternative to the bix Bell-LaPadula matrix: separate the authentication logic from authorization logic
a single best book on consultancy: Secret of Consulting: A Guide to Giving and Getting Advice Successfully (Dorset house).
lenght: 27:56m
Labels: cissp, security