I haven't encountered the hierarchy in years, but I've always felt it was a bit of a weird idea.
The first and third tiers (elimination and controls) are the same thing: separating the hazard from potential injury conditions. This can be spatial separation, temporal separation, or a dozen other kinds. A real-world example is how xray techs have to physically leave the exposure area and stand behind a lead panel to turn on the beam. The hazard (radiation exposure) remains, but the system is safe because the tech can't be exposed to it. We use this all the time in software. Process boundaries are a form of spatial separation, mutexes enforce temporal separation. test/prod systems, principle of least privilege, separation of concerns, etc.
kvmet 22 hours ago [-]
Elimination is not the same as separating someone from the hazard. Edit: elimination is (re)moving the hazard and a control is adding a barrier or moving the person
Elimination is completely getting rid of the hazard. (In the case of x-ray it would be just not doing an x-ray at all)
eternityforest 1 hours ago [-]
Controls can fail. Tanks of toxic waste can leak. Toxic waste that doesn't exist is much safer, assuming its not needed to prevent danger elsewhere.
23 hours ago [-]
theamk 15 hours ago [-]
If the hazard is "a production shell with unrestricted privileges", then won't "elimination" mean "don't give people production shells"? This can be achieved by many ways, such as pre-made queries (with new queries that could only be added vi a PR/review process), better observability, using IaaC like terraform, etc...
Instead, the author says "we could eliminate the production environment or we could eliminate the database" which really makes no sense.
nonrandomstring 1 days ago [-]
Love this synthesis of safety and software thinking that seems apropos
Ross Anderson's musings on software safety engineering.
Rendered at 21:52:31 GMT+0000 (UTC) with Wasmer Edge.
The first and third tiers (elimination and controls) are the same thing: separating the hazard from potential injury conditions. This can be spatial separation, temporal separation, or a dozen other kinds. A real-world example is how xray techs have to physically leave the exposure area and stand behind a lead panel to turn on the beam. The hazard (radiation exposure) remains, but the system is safe because the tech can't be exposed to it. We use this all the time in software. Process boundaries are a form of spatial separation, mutexes enforce temporal separation. test/prod systems, principle of least privilege, separation of concerns, etc.
Elimination is completely getting rid of the hazard. (In the case of x-ray it would be just not doing an x-ray at all)
Instead, the author says "we could eliminate the production environment or we could eliminate the database" which really makes no sense.