Hypothesis #5 -- Security Begins at the Application and Ends at the Mind

The application must do most of the work [1]. For really secure systems, only application security is worthwhile. That is simply because most applications are delivered into environments where they have little control or say over how the underlying system is set up.

#5.1 Security below the application layer is unreliable

For security needs, there is little point in for example relying on (specifying) IPSec or the authentication capabilities or PKI or trusted rings or such devices. These things are fine under laboratory conditions, but you have no control once it leaves your door. Out there in the real world, and even within your own development process, there is just too much scope for people to forget or re-implement parts that will break your model.

If you need it, you have to do it yourself. This applies as much to retries and replay protection as to authentication and encryption; in a full secure system you will find yourself dealing with all these issues at the high layer eventually, anyway, so build them in from the start.

Try these quick quizzes. It helps if you close your eyes and think of the question at the deeper levels.

These questions lead to some deeper principles.


[1] This is also known as the End to End Principle as espoused in: "End-to-End Arguments in System Design," Saltzer, J., Reed, D., and Clark, D.D., ACM Transactions on Computer Systems, 1984.

[2] See " Reliable Connections are Not" for the detailed answer.

[3] 39% likely if in the enterprise, 23% at home. See Table 1: " Software Defaults as De Facto Regulation: The Case of Wireless APs ," Rajiv Shah and Christian Sandvig, TPRC'07, September 2005,

H1          H2          H3          H4          H5          H6          H7