[nycbug-talk] (no subject)

Marc Spitzer mspitzer at gmail.com
Tue Aug 7 21:05:00 EDT 2007


Just to thow some more gas on the fire:
http://taosecurity.blogspot.com/2007/08/black-hat-usa-2007-round-up-part-1.html

marc

On 7/16/07, Marc Spitzer <mspitzer at gmail.com> wrote:
> On 7/15/07, Jonathan Vanasco <nycbug-list at 2xlp.com> wrote:
> >
> > On Jul 14, 2007, at 9:56 PM, Marc Spitzer wrote:
> >
> > > It is part of defense in depth.  Face it people screw up all the time,
> > > myself included, and having having 2 ways to be "safe" is better then
> > > 1.  Also things like -3 TV's should be checked by unit tests before it
> > > ever gets to production.  I think that most problems are caused by a
> > > lack of discipline not ignorance or malice.  Especially when deadline
> > > loom people can be pressured into doing things that may be less then
> > > good.
> >
> >
> > As long as it is a backup, and not relied upon, its fine.  once you
> > introduce it as something peopel rely on, it makes for bad coding.
> >
> > since you're also introducing something that is standardized here,
> > you also start opening yourself up to new security holes-- and you
> > have hackers not only looking to exploit your webapp, but mod_sec or
> > whatever other standard firewall app they figure you're running and
> > can look for known exploits on.
> >
> > those apps are great to bolster a strong defense, but as the only
> > defense its irresponsible.
> >
>
> I think I did mention unit tests.  But you only test, and code for,
> things you think can happen.  And things that can not happen happen
> all the time in computers.  The question is how much paranoia is
> prudent and that is something that changes from person to person and
> project to project.
>
> I also did not say they were the only defense just that it should be
> added to the existing defenses.  The idea that you will not have
> exploitable code in your system is foolish, web servers have bugs
> after all.  What you will have is code that you think is safe, good
> code/app/webserver *and* properly configured, but sooner or later you
> will find out you were wrong or you wont find out which could be much
> worse.  And yes firewalls have had exploitable code also.  But the
> Idea is to have a layered defense here and I have just recommended
> adding a layer not lessing the other layers.
>
> marc
> --
> Freedom is nothing but a chance to be better.
> Albert Camus
>


-- 
Freedom is nothing but a chance to be better.
Albert Camus



More information about the talk mailing list