Wednesday, February 13, 2008

Security diagrams anyone?

Help me out, I need a way to illustrate the security of an application, or system, in a truly meaningful way.  Typically we see diagrams that show boxes representing workstations, PCs, desktops and servers, all connected with lines that are labeled Firewall, SSL or HTTPS, and I find these a little less than worthless.  In many cases, after a little digging, you find out that there are gaping holes somewhere in the solution - which makes the whole 'SSL' thing disinformation.  These labels tend to lull us into a false sense of, well, security.

I'm looking for a diagramming style, technique, method, structure, or tool that lets me show the various security elements of a solution, such that one could step through the picture and know where vulnerabilities exist.  I'm thinking the resultant illustration won't look like typical architecture pictures any more than a wiring schematic looks like a house.  That's OK, just so long as technology professionals can create, edit, and understand the meaning of the symbols, lines, and notations.

One last thing, and this is vital.  The solution cannot depend on the reader having to create mental models to see the security.  A line labeled SSL requires just that; you have to know what SSL means and that it begins and ends with the line.  I'm looking for something that shows the gaps, holes, and vulnerabilities.  If you have any ideas, drop me a line.

Follow by Email