The lazy programmer’s guide to secure computing
This presentation starts with a simple block of code written by the Lazy Programmer, to observe how laziness made the code more compact and simpler. We then define the Principle of Least Authority (POLA), and explain why it is a best practice for secure programming. We show how laziness in that first example enabled enforcement of POLA. We then put the Lazy Programmer through a series of increasingly more difficult tasks as management attempts to make the Lazy Programmer work hard.
To achieve maximum laziness, the Lazy Programmer is driven toward increasingly more modular, encapsulating OO designs that happen to implement POLA; ultimately compelled to build systems with defense in depth to avoid work. A secret truth is thus revealed: lazy OO programmers have been using secure techniques for decades, if only they had known. We then describe the tools that turn laziness into correctly enforced security for JavaScript, Java, and distributed computing.
Marc Stiegler is a researcher at Hewlett-Packard Labs who has written “Introduction to Capability Based Security,” and designed CapDesk and Polaris, a windows overlay that isolates applications from one another to allow virus safe computing.