[WEB SECURITY] The Möbius Defense, the end of Defense in Depth
paj at pajhome.org.uk
Tue Jul 7 23:07:39 EDT 2009
You certainly did a good job of keeping the entertainment value up, I
will most likely nick some of your ideas for presentations in the future.
But I want to challenge your claim of "the end of defence in depth". I
think we agree on the definition - it's layered security. We accept that
we'll never get one layer perfect, so we introduce multiple layers to
deal with this. The analogy to military defense in depth is just an
analogy, the layers aren't the same.
Looking at your example of SQL injection against a web server, I'd
challenge a couple of things. Firstly, a firewall and database
encryption are not defences against this kind of attack, so it's no
surprise that they don't help. As for the WAF, you quickly dismiss this,
as being subvertible by encoding attacks. I'm not a WAF expert, but I
expect any decent WAF would not be so easily fooled. Sure, it's possible
to bypass the WAF in some circumstances, but then that's exactly the
point of defence in depth - no one layer is perfect.
I'd see several layers of defence against this kind of attack:
1) Train developers to code in a way that avoids SQL injection (but some
may occur anyway)
2) Conduct testing to catch any vulnerabilities that exist (but some may
3) Use a WAF to protect any vulns that remain (but the WAF won't catch
4) Configure the database to minimise the impact of an injection attack
(but you'll still be able to get somewhere with an attack)
5) Logging, backups, insurance, etc. (but this just helps you recover -
if you need this, there's been an impact already)
And I'd say for a high-security site, all of these are worth doing. Not
for every site, sure - for a message board, a WAF would not be justified
and penetration testing would be a luxury more than a must have.
You've probably had a ton of messages along these lines, but I'd love to
hear your thoughts.
Pete Herzog wrote:
> Mostly serious but some is to keep the entertainment value high. For
> example, the A-team did not really invent defense in depth (they just
> perfected it!).
> I'll be releasing a making-of next week which explains all the jokes
> and the seriousness.
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity