[WEB SECURITY] The Möbius Defense, the end of Defense in Depth

Pete Herzog lists at isecom.org
Sat Jul 11 04:13:30 EDT 2009


> I certainly have seen these attitudes, and similarly I don't agree with 
> them. I guess to some extent your presentation is aimed at people who 
> are still following this old interpretation of DiD. I think you can 
> interpret DiD in a newer manner - more application-centric than 
> network-centric - and I'd say this isn't dead. If we take your title as 
> being part of the entertainment value - perhaps we're actually in 
> agreement here?

What you're saying I've encountered a couple of times already. For 
one, I've never said DiD is dead. It's a valid security model and has 
been for (hundreds of?) years. What I'm saying is that for its many 
definitions I've found it's not suitable for network security and for 
the modern architectures without a perimeter its practice should be 
ended. However, you say that the current definitions which are written 
*everywhere* no longer apply and that it has changed. But that's like 
saying, the land is now the sea. DiD is a valid model and has a 
definition (or more than one when it was applied to network security) 
which all centered on the layering or "depth" concept. This cannot 
apply to networks though and with networks now forgoing the perimeter 
to give applications from the outside directly to the browser on the 
desktop, for example, this should not be used. So where you say that 
DiD now means for you that it should now be applied at the endpoint, 
well, we already have a name for that and it's called endpoint 
security. Just like we already have a word for the sea and it's not 

However the Möbius defense proposed has designed specifically to 
protect modern architectures by addressing the attack surface of the 
targets. One of the premises is to control points of interaction by 
vector and channel and not merely endpoints or applications.

> Throughout your message you've used a few OSSTMM terms. While I have 
> read the manual, I can't remember the jargon. I have a feeling in a lot 
> of places we may be saying the same thing, but using different words. 
> For example, when you say training developers is not a control, well, it 
> may not be a control a technical level. Perhaps the control is that the 
> coding is done correctly, and in a corporate environment, one way a 
> security department can try to achieve this is through developer 
> training. It's the same thing in the end, different point of view.

Actually, I'm saying the writing of the code "correctly" is not a 
control. I can concede that the OSSTMM defines specific terms to make 
sense of the terminology thrown around loosely in security but 
controls are the protective act and not the configuration, training, 
or preparation of the protective act. Always have been. Apparently at 
some point somebody began to misuse that word too, perhaps to justify 
the cost of configuration and training. That's like saying getting the 
eggs and milk out of the fridge is making a cake but what you're 
really doing is getting the ingredients to make a cake. So secure 
programming and security awareness training are actually getting the 
controls ready to work properly. And security testing is really just 
verifying that it does work the way you want it to work.

>> But the idea of layering failing here is NOT because one control is
>> not perfect but because one control is often not useful as a single
>> control or too narrow to cover all Channels (any of physical,
>> wireless, telecommunications, human, or data networks channels). Is
>> this because the definition you provided of DiD is wrong or because
>> DiD for network security is wrong?
> In your example, there were multiple layers that all failed. DiD didn't 
> fail - it will never give you perfect security. In this case, I think 
> the real problem is that the actual security afforded was less than what 
> was thought, and that's because there were two layers that were believed 
> to be in place, but in fact didn't help.

Even if we did your proposed design under your proposed definition of 
DiD and an attack succeeds then you're saying that DiD did not fail 
there either? Because that's how it reads. Then what's your definition 
of failing? Did that change too and nobody updated the books and 
resources again? I am saying what's the point of a model which can 
never give you "perfect security"? To make the industry more money? Is 
that it? It's about perpetuity and not working ourselves out of a job? 
Because if that's the case then this industry is more evil and more 
shortsighted then I thought. Why are you and a couple other people 
working so hard to defend this broken model especially when you admit 
it's broken? That's what I don't understand.

>> I don't see why you can't have multiple controls for EVERY site no
>> matter what you do. 
> Different systems require different levels of protection. You can have 
> extra controls, sure, but security are not going to win any respect 
> demanding things that come at a cost, when they are not necessary. A few 
> years ago people might have done a similar presentation on "The 
> risk-based approach, the end of compliance". I thought the security 
> community was pretty sold on this though.

Wouldn't that depend on the value of the asset of the website and not 
on the levels of protection required? I don't see how that's system 
independent especially if so many interactive parts and components 
make up a typical website. If we know there are attackers and we know 
we have sites then we know they need to be protected. Especially if 
there is no more perimeter. And I never said EXTRA controls. That 
would assume there were controls there to begin with. I'm saying if 
it's interactive then it needs to have controls. If it doesn't then it 
is completely unprotected and in a hostile environment (the web space 
is still considered hostile, right?). Some controls can be coded in 
from the start and some can be added on later but not all controls are 

I also don't think the risk-based approach actually works well at all 
because it assumes that we can determine all the threats all the time. 
Which we can't. I think the attack surface approach will end 
compliance and it doesn't matter if that comes from the Möbius Defense 
model or anywhere else. However knowing and being able to measure what 
is exposed an uncontrolled as I suggest will give the risk folk solid 
facts to match against their risk models, it will give auditors solid 
facts as to what needs yet to be controlled, it will show the 
commercial companies which areas their products fit into and what 
markets still need to be filled, and it will make the client actually 
secure. It's a win win win win. The only ones who might lose are the 
ones who are cheating, scamming, and lying today and resist the 
change. But I see that as a good thing.


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list