The City: a metaphor on software and security

I've probably written about this before, but I feel inspired to write out some details as I sit in this session at ACSAC.

I think the modern city is the perfect metaphor for modern software. Individual programs are entities (people, organizations) who exist in a city. Elements of the city (other programs) provide services and utilities. There is a level of confidence in the services and utilities, but all is at risk of disruption by natural disasters or by criminal acts.

Here are some essential points:

  • What we know about a city's safety is based largely on experience. 
  • A city's level of safety can change as a result of changes that inevitably take place in a city. We might know from experience that a particular change may affect its safety, but we can't quantify the point at which a tolerated change will yield an intolerable change.
  • City safety can be increased locally in special situations - police escorts, giant vaults with heavy doors, etc.
  • All cities are like this and many people live in cities and find this a tolerable situation.

Now, let's consider "types" of cities:

  • Disneyland - a highly structured and controlled environment that is intended to provide a high degree of safety and entertainment - maybe this also applies to upscale shopping malls, too.
  • Provincial town - i.e. one in which the people know each other and live in peace with one another. The risks to one another are established culturally by expectations.
  • Big bad city - residents are familiar with the risks and know how to navigate around them. Nonresidents/visitors are often targets of attacks, though also happens to residents
  • Gated community - we control both who comes in and out as well as who lives there. Guests are restricted.

This corresponds to different types of software environments, and provides some insight when we think about them.

  • Desktop operating systems that talk to the Internet are big bad city sort of systems. They may be subject to assault, and they might be kept safe in "typical" situations.
  • High security systems aspire to the lives of celebrities. They want their bodyguards, private limos and jets, and scheduled safe actitivies.
  • I don't see a version of system like the idealized high assurance system - never patched but it just keeps working forever. Gated communities have visits by plumbers and construction workers. Disneyland gets new rides.
