At various presentations and also in our research on credit cards I came across approaches for security vulnerability research that are based on tools and techniques for building reliable systems.  I am curious about the relation between the two, and thought maybe a blog is a good venue for people to share some thoughts on the issue.

A couple of examples of what I mean:

– Martin is trying to build a reliable emulator for credit card payment. He works with Leo on proofs for reliability. Martin essentially follows the Praxis software development approach, in a light-weight incarnation. But, as a consequence, he and Leo find security vulnerabilities. Shouldn’t we have used a tool/method that aims at finding security vulnerabilities instead of one that aims at building reliable systems?  Or are these somehow the same?

– We recently had a colloquium guest speaker (recently graduated PhD student) from Glasgow who talked about her research in using safety case description languages to describe case studies for security breaches.  Such use is almost contrary to what the language was defined for, but it seemed to work.

I’m interested in the question whether we use existing dependability/safety techniques for security research because (1) we don’t have better ones yet or because (2) they are the best ones imaginable.  I guess the answer is ‘it depends’, but it struck me as interesting to try to understand this issues more generically and discuss on this blog.  So, please comment.