[WEB SECURITY] The Möbius Defense, the end of Defense in Depth

Paul Johnston paj at pajhome.org.uk
Tue Jul 7 23:07:39 EDT 2009


You certainly did a good job of keeping the entertainment value up, I 
will most likely nick some of your ideas for presentations in the future.

But I want to challenge your claim of "the end of defence in depth". I 
think we agree on the definition - it's layered security. We accept that 
we'll never get one layer perfect, so we introduce multiple layers to 
deal with this. The analogy to military defense in depth is just an 
analogy, the layers aren't the same.

Looking at your example of SQL injection against a web server, I'd 
challenge a couple of things. Firstly, a firewall and database 
encryption are not defences against this kind of attack, so it's no 
surprise that they don't help. As for the WAF, you quickly dismiss this, 
as being subvertible by encoding attacks. I'm not a WAF expert, but I 
expect any decent WAF would not be so easily fooled. Sure, it's possible 
to bypass the WAF in some circumstances, but then that's exactly the 
point of defence in depth - no one layer is perfect.

I'd see several layers of defence against this kind of attack:
1) Train developers to code in a way that avoids SQL injection (but some 
may occur anyway)
2) Conduct testing to catch any vulnerabilities that exist (but some may 
be missed)
3) Use a WAF to protect any vulns that remain (but the WAF won't catch 
4) Configure the database to minimise the impact of an injection attack 
(but you'll still be able to get somewhere with an attack)
5) Logging, backups, insurance, etc. (but this just helps you recover - 
if you need this, there's been an impact already)

And I'd say for a high-security site, all of these are worth doing. Not 
for every site, sure - for a message board, a WAF would not be justified 
and penetration testing would be a luxury more than a must have.

You've probably had a ton of messages along these lines, but I'd love to 
hear your thoughts.

Best wishes,


Pete Herzog wrote:
> Hi,
> Thanks!
> Mostly serious but some is to keep the entertainment value high. For 
> example, the A-team did not really invent defense in depth (they just 
> perfected it!).
> I'll be releasing a making-of next week which explains all the jokes 
> and the seriousness.
> -pete.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list