
Open Reference Architecture for Security and Privacy - ignoramous
https://security-and-privacy-reference-architecture.readthedocs.io/en/latest/
======
EternalAugust
This is pretty cool. I have been considering collating a bunch of notes I've
been collecting on Linux security into a free book which would be aimed at
security researchers and system administrators who have the luxury of securing
their systems beyond checklists... though I'm nowhere near realizing that.

A few comments on the design of the book here, though. It seems strange to me
that privacy and security should be treated together. Security and privacy are
frequently mutually exclusive. To get the best privacy you often have to
sacrifice some security, and vice versa. An example would be allowing Windows
Defender to automatically submit data and files to Microsoft. This increases
security but decreases privacy. Another example is how Google requires you to
submit a non-VoIP phone number during Google account creation. Obviously, this
decreases privacy, but it also prevents spammers from flooding the comments
section of YouTube videos with links to sites hosting malware (this used to be
a huge problem). Of course there are many controls that increase both privacy
and security together. But the relationship is complex, and I think the only
way to write a clear book for specialists with actionable guidelines is to
place either security or privacy as the priority, not both.

Also, at first glance I am not sure if the book is meant to help
administrators and businesspeople design services that are secure and protect
end-user privacy, or if it is meant to help end-users themselves protect their
privacy/security, or both [Edit: 1]. In the Introduction: "This reference
architecture is created to improve security and privacy designs in general."
Chapter on security principles seems aimed at the admins too. But there is a
whole chapter on OSS Privacy Applications that seems target end-users and show
them how they can protect their privacy. I am left wondering: "Is this book
for me? Maybe. Idk." Maybe I skimmed too quickly, but it really seems like
it's trying to address too many audiences at once.

Maybe the authors can comment on why they made these design decisions.

[1] Edit: add to that developers, with the chapter on secure coding
guidelines.

~~~
SkyMarshal
Not an author, but there's a lot of overlap. Code bugs lead to breaches which
lead to data theft and loss of privacy, namely.

Figuring out various strategies for tightening up that causality chain
improves both security and privacy. Formal verification and security proofs of
cryptography code. Provably correct software systems. Comprehensive testing.
Using application or systems frameworks that have been developed with a
security-first mentality, rather than security-bolted-on mentality (too many
today use the latter). Etc.

------
a_band
This looks like an amazing resource. Security and Privacy is intimidating for
engineers and the resources and training are currently hoarded by massive
enterprises. Really excited to see stuff like this become widely available.

------
ignoramous
Paperback:
[https://www.amazon.com/dp/1540606481/](https://www.amazon.com/dp/1540606481/)

