Re: [WEB SECURITY] The Möbius Defense, the end of Defense in Depth

Walt Williams walt.williams at
Wed Jul 8 15:41:36 EDT 2009

On Wed, Jul 8, 2009 at 2:47 PM, Pete Herzog<lists at> wrote:
> But you do agree it meets the definition of DiD as layered security,
> right? I think that's part of the problem. When you back a security
> model and find it is flawed like that it's time to question why. I'm
> sure you and many people on this list have had that palmface moment
> when they see multiple firewalls lined linearly on the network or AV
> on EVERYTHING as interpretations of "layered security". In the first
> example the layer is taken literally and in the other it's taken
> logically and both wrong. My point is that this set up is perfectly
> correct by definition with multiple levels of defense and it still was
> not good. You say so yourself. Looking at this matter with fresh eyes,
> you will see that the problem isn't so much that it's the wrong
> controls for the interaction but rather WHERE the interaction takes
> place. Suddenly, the SQL server is its own perimeter. (Logically we
> can say it's part of the perimeter.) This isn't because the logical
> layers don't make sense but because the interaction is directly
> between the external user and the DB abusing the trust relationship
> with the web server.

But you are making a logical but bad assumption on the part of the
relationship between the web application and the database.  If the
developers have done their job right, and it is our job to make
certain of that, then the web application only shows the data that is
owned by the account in question, and any sql injection attacks will
fail because of the following defenses:

WAF - which really is good at detecting and preventing that sort of thing
Web application input validation -  there are a variety of frameworks
which will prevent injection attacks
Database only executing predefined queries through stored procedures
on behalf of the specific credentialed user, returning only those
records owned by the user in question.

Any half way decent web application will have those components.
Claiming that the only defense of the database is encryption is
ignoring stored procedures and a properly defined data architecture
where data is owned by database accounts and the web application
doesn't authenticate into the database so much as allow the
authenticated user controlled access to their data within the

It is not even necessary for the defined accounts to be accounts
within the database, but LDAP accounts will work just fine if the data
models and application is built properly.

DiD works, but it requires that no component of the application is
ever considered trusted.  Your strawman presumes a trust relationship
which should never exist in a well designed web application.

Walt Williams, CISSP, SSCP
Ergo inimicus vobis factus sum, verum dicens vobis?

Join us on IRC: #webappsec

Have a question? Search The Web Security Mailing List Archives:

Subscribe via RSS: [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list