[WEB SECURITY] The Möbius Defense, the end of Defense in Depth

Pete Herzog lists at isecom.org
Thu Jul 9 06:47:12 EDT 2009

Hi Walt,

> This may be, but it was your controls which you used to argue DiD
> doesn't work.  What I am suggesting is that you can't argue a abstract
> point with a concrete and deliberately flawed example.  Ignoring the
> blocks for a moment, but instead look at an abstract model of a
> complete and well designed DiD.  Yes, you can always find attacks
> against it, but that doesn't mean that they will achieve their goal.

The blocks and the simple example were part of the entertainment 
value. My argument was made in all the pages before that. The 
simplistic example was used for those who still didn't get it. I guess 
that's what's so hard about reading a presentation instead of watching 
it being performed. It's also why I'm writing the notes out for people 
to read it in better detail.

The research we did was applied to many many examples in DiD whether 
taken literally or figuratively or both and found that it just didn't 
stand up to either the definitions we found or the modern 
architectures and interactive points. Basically, the attack surface 
was still large. While particular goals from particular vectors could 
be muted, this was done so by NOT using DiD as the definitions say but 
rather by putting controls directly on the points of interaction. So 
the "layers" didn't do anything, it was the controls at the end 
points. All of the controls you suggested in the web/DB situation you 
presented did not meet the common definitions of DiD. Instead, you did 
what any experienced security person would do, you'd protect the asset 
at the point of interaction using varied controls. Lesser experienced 
or lesser skilled people don't necessarily do that and certainly not 
if they follow the common definitions of the DiD model. What you're 
trying to do is extend the definition so far that it no longer 
applies. And you're doing this because the model is broken.

> If your point is to attack the idea of DiD, then you have a flawed
> example.  If your point was to get folks to think through a clever
> presentation, then you have done so, but that doesn't mean that folks
> will agree with the point you are making.

The example is only flawed in that it doesn't meet your ideal set-up. 
But that set-up exists. I myself have seen it during tests and I am 
not alone in having seen it. Your example shows our Möbius Defense in 
that it focuses on the interactive point rather than defense at the 
perimeter and subsequently, the various devices and machines through 
which the packets may travel along the way. To better illustrate, take 
your example a bit more extreme and apply it to the cloud. Now you are 
providing that DB as part of an application which runs in the client's 
browser. Where will you set up controls? Where will the client? We 
both know the answer is the points of interaction.

We don't expect people to accept what we say at face value. We expect 
to have to prove it. However, we can't do it alone. So I presented in 
such a way to make people think and then to examine the DiD model and 
its deficiencies both at their own skill level and at the skill level 
of the people doing our jobs in the future.

> I happen to agree that there is a problem with traditional security
> architectures and have been following both the Jericho forum and its
> research for years.  I respect the fact that you're trying to
> communicate the flaws in DiD in simple and elegant ways, however I
> would ask you to remember that much of your audience will ignore that
> and see the flaws and come to the conclusion that you think DiD
> doesn't work because you don't understand it.

This will only happen if the audience doesn't look at all the other 
evidence and only focuses on that one example. From the feedback and 
impressions I have received, most people have given it a very fair 
assessment except for the one detractor who either didn't read it or 
just doesn't like me in which case he made himself a public fool 
(again, what I know from much feedback) by posting very wrong things 
about the message of the presentation.

The truth is that after all the research we did and all the tests we 
made with the model we do know DiD better than most. It's the flawed 
definitions and the poor explanations of the model that cause pretty 
much everyone to misunderstand it. Even you made the mistake of 
applying it to mean something beyond the definition to what you think 
works for you. But then it was no longer DiD and more like the Möbius 


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list