The A6 API is a security stack designed to provide Audit, Assertion, Assessment, and Assurance capabilities. There's one problem, providing assurance can't be done by machines alone - you need a human element, one that stands up and says "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se results are true and good". Outside of wild notions about black box mechanisms and trusted computing, I'm hard pressed to find a technology solution to achieve this. What we really need is human participation in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stack, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difficult part about humans is that we all have our own unique perspective on what is or isn't accurate, what's correct and ultimately how one defines security.
What we need is a standardized way of reporting on complex concepts dealt with in security assessments and audits. If we had a standard security reporting language, we could reduce variation in security reporting and improve interpretability. We can look to financial reporting for an approach.
In financial reporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two parts to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process, one is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assertion and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r assurance - one done by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public company and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r done by a public audit company. The public company says, we have X million dollars of this and that, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public audit company confirms that it is indeed true.
Ofcourse, we all know that financial reports are subject to manipulation and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's always some grey area in what a term means, this is furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r compounded by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various forms financial reporting is published (human readable for sure, but set in any order and dressed up in many different ways).
To address this, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Accounting Standards Board (IASB) issued a standard known as International Financial Reporting Standards (IFRS) which has a taxonomy defining terms and for situations where a term is not defined, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new term can be described from atomic components and concepts within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 taxonomy. There's a standard known as an eXtensible Business Reporting Language (XBRL) which allows for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clear meaning of financial numbers to be articulated in a way that is both machine readable but also IFRS compliant.
Here's a snippet of XBRL (reporting on Operating Income, Administrative Expenses, Operating Expenses):
38679000000
35996000000
870000000
10430000000
If we had an IT Security Reporting standard similar to XBRL, which requires detailed exposure of information and provided clear definitions of terms, cloud providers could self-issue reports that while open to manipulation, become that much harder to subvert - let's call it eXtensible Security Reporting Language (XSRL). With an XSRL report, we'd all use consistent terms and consistent inputs
The three big challenges with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 XSRL concept are:
- It's perfectly fine (in fact expected) for a public company to disclose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir finances, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same cannot be said of security vulnerabilities or perimeter defences (even though I'm a strong believer in Shannon's maxim or Kirchoff's principle, it's important to understand that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 maxim does not advocate broadcasting details, but racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r assuming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy will learn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 knowledge should not make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m a more effective attacker).
- If you lie in a financial statements, you go to jail (usually) - if you lie in a security report (as long you don't breach section 404 of Sarbanes Oxley or equivalent), you'll probably just get your hand slapped (or bad press).
- Most security experts disagree on some aspect of security - financial reporters have IFRS (International Financial Reporting Standards) - so it would be a lot of work to get people to agree on a canonical definition of what constitutes secure and security.
That said, I still think we should try, it's hard, but it will be worth it - A6 could work without it, but I think we need to need to bring a formalism and maturity to security reporting that doesn't exist now, something akin to what financial auditors have today (Lehman Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like aside).