[WEB SECURITY] Securing apache installation with PHP

Jay D. Dyson jdyson at treachery.net
Mon May 23 11:19:22 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 23 May 2005, Peter Motykowski wrote:

> > Security by obscurity does not work. PERIOD.
>
> I don't think I've ever heard anyone argue the point of security through 
> obscurity as their only line of defense.

 	You can thank the Good Lord that you have not been subjected to 
the same meetings I have.  I can't remember how many times line managers 
(and even a few vendors) have suggested that security through obscurity is 
a panacea...that and firewalls.  (Nyack.)

> However, many experienced IT professionals have come to agree that 
> layers of security are a best practice and obscuring your server 
> platform as a layer is a sound approach.

 	I'm not one of them.  Sure, I alter headers, server tokens and 
things like that...but it's exclusively for personal entertainment.  It's 
certainly not part of my security model in any way.

 	In the end, service obfuscation achieves nothing.  One of three 
things will still happen: the anklebiting scriptmonkeys will just bang 
away at it; automated intrusion agents (worms) won't give a good rip and 
will still bang at it; and the truly skilled attacker will see right 
through it.  Thus, the net value of said service obfuscation is nil.

- -Jay

    (    (                                                      _______
    ))   ))  .-"There's always time for a good cup of coffee"-.  >====<--.
  C|~~|C|~~| \----- Jay D. Dyson -- jdyson at treachery.net -----/ |    = |-'
   `--' `--'  `-- Pardon me, but am I on the right planet? --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFCkfR/xzN3WIW0edsRArcAAJ4rFLYAZMK61F7i2iceeWpOfly8zwCgplO5
22owp+CNxpvCzdcO3VkLuzc=
=N45a
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list