[WEB SECURITY] The Möbius Defense, the end of Defense in Depth

Paul Johnston paj at pajhome.org.uk
Fri Jul 10 22:31:51 EDT 2009

> sure you and many people on this list have had that palmface moment
> when they see multiple firewalls lined linearly on the network or AV
> on EVERYTHING as interpretations of "layered security". In the first
I certainly have seen these attitudes, and similarly I don't agree with 
them. I guess to some extent your presentation is aimed at people who 
are still following this old interpretation of DiD. I think you can 
interpret DiD in a newer manner - more application-centric than 
network-centric - and I'd say this isn't dead. If we take your title as 
being part of the entertainment value - perhaps we're actually in 
agreement here?
> webserver / DB trust interaction. The only control the DB has in place
> is encryption, what we call Confidentiality in the OSSTMM.
> Unfortunately that control is likely to protect only against physical
> theft, from a different vector and a different Channel (again an
> OSSTMM term). 
Throughout your message you've used a few OSSTMM terms. While I have 
read the manual, I can't remember the jargon. I have a feeling in a lot 
of places we may be saying the same thing, but using different words. 
For example, when you say training developers is not a control, well, it 
may not be a control a technical level. Perhaps the control is that the 
coding is done correctly, and in a corporate environment, one way a 
security department can try to achieve this is through developer 
training. It's the same thing in the end, different point of view.
> But the idea of layering failing here is NOT because one control is
> not perfect but because one control is often not useful as a single
> control or too narrow to cover all Channels (any of physical,
> wireless, telecommunications, human, or data networks channels). Is
> this because the definition you provided of DiD is wrong or because
> DiD for network security is wrong?
In your example, there were multiple layers that all failed. DiD didn't 
fail - it will never give you perfect security. In this case, I think 
the real problem is that the actual security afforded was less than what 
was thought, and that's because there were two layers that were believed 
to be in place, but in fact didn't help.
> I don't see why you can't have multiple controls for EVERY site no
> matter what you do. 
Different systems require different levels of protection. You can have 
extra controls, sure, but security are not going to win any respect 
demanding things that come at a cost, when they are not necessary. A few 
years ago people might have done a similar presentation on "The 
risk-based approach, the end of compliance". I thought the security 
community was pretty sold on this though.

Best wishes,


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list