[WEB SECURITY] The Möbius Defense, the end of Defense in Depth
paj at pajhome.org.uk
Fri Jul 10 22:31:51 EDT 2009
> sure you and many people on this list have had that palmface moment
> when they see multiple firewalls lined linearly on the network or AV
> on EVERYTHING as interpretations of "layered security". In the first
I certainly have seen these attitudes, and similarly I don't agree with
them. I guess to some extent your presentation is aimed at people who
are still following this old interpretation of DiD. I think you can
interpret DiD in a newer manner - more application-centric than
network-centric - and I'd say this isn't dead. If we take your title as
being part of the entertainment value - perhaps we're actually in
> webserver / DB trust interaction. The only control the DB has in place
> is encryption, what we call Confidentiality in the OSSTMM.
> Unfortunately that control is likely to protect only against physical
> theft, from a different vector and a different Channel (again an
> OSSTMM term).
Throughout your message you've used a few OSSTMM terms. While I have
read the manual, I can't remember the jargon. I have a feeling in a lot
of places we may be saying the same thing, but using different words.
For example, when you say training developers is not a control, well, it
may not be a control a technical level. Perhaps the control is that the
coding is done correctly, and in a corporate environment, one way a
security department can try to achieve this is through developer
training. It's the same thing in the end, different point of view.
> But the idea of layering failing here is NOT because one control is
> not perfect but because one control is often not useful as a single
> control or too narrow to cover all Channels (any of physical,
> wireless, telecommunications, human, or data networks channels). Is
> this because the definition you provided of DiD is wrong or because
> DiD for network security is wrong?
In your example, there were multiple layers that all failed. DiD didn't
fail - it will never give you perfect security. In this case, I think
the real problem is that the actual security afforded was less than what
was thought, and that's because there were two layers that were believed
to be in place, but in fact didn't help.
> I don't see why you can't have multiple controls for EVERY site no
> matter what you do.
Different systems require different levels of protection. You can have
extra controls, sure, but security are not going to win any respect
demanding things that come at a cost, when they are not necessary. A few
years ago people might have done a similar presentation on "The
risk-based approach, the end of compliance". I thought the security
community was pretty sold on this though.
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity