Security Basics mailing list archives
Re: Security vs. Simplicity
From: dan.crowley () gmail com
Date: 22 May 2009 13:49:25 -0000
I'd like to challenge your original assumption that security and simplicity are inversely related (ie: more of one means less of the other) I have a concrete block. It is my computer. It is very simply designed. I dare you to find a vulnerability in my computer. (A silly example, perhaps, but it makes my point) In fact, with complexity ALWAYS comes more security problems. Take social networking sites as an example. You'd think that sites as large as MySpace with dedicated IT folks working on it might have some pretty good security, but its track record has really sucked. Why? Because there's SO MUCH ATTACK SURFACE. In addition to complexity providing more places to launch attacks (attack surface) you also will likely have less of an ability to perceive possible flaws in a more complex system, leaving it up to a future attacker to do so. ;) Given that complexity makes security harder, focus on the simplicity first, as it will make life easier for everyone, especially your security engineer. I'd also like to add that adding security as "an extra layer" sounds like bad security to me if that's the only place security is going. Security is a property, not a box on an inventory checklist. Upon performing pen tests in the past, nearly all of what I see is "M&M security". One hard, difficult to break outside layer, and soft, sweet innards. Good luck in building your infrastructure! -- Dan Crowley "One machine can do the work of fifty ordinary men. No machine can do the work of an extraordinary man." ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Re: Security vs. Simplicity, (continued)
- Re: Security vs. Simplicity Aarón Mizrachi (May 20)
- Re: Security vs. Simplicity Paul Halliday (May 20)
- Re: Security vs. Simplicity Meenal Mukadam (May 21)
- Re: Security vs. Simplicity Daniel Miessler (May 22)
- Re: Security vs. Simplicity aaa (May 19)
- RE: Security vs. Simplicity Craig S. Wright (May 22)
- RE: Security vs. Simplicity Stefan Marksteiner (May 20)
- RE: Security vs. Simplicity Marksteiner, Stefan (May 20)
- Re: Security vs. Simplicity krymson (May 20)
- Re: Security vs. Simplicity shailesh . sf (May 21)
- Re: Security vs. Simplicity dan . crowley (May 22)
- RE: Security vs. Simplicity Jason Hurst (May 22)
- Re: Security vs. Simplicity Stephen Mullins (May 25)
- RE: Security vs. Simplicity Craig S. Wright (May 26)
- Message not available
- Re: Security vs. Simplicity Daniel Miessler (May 28)
- Message not available
- Message not available
- Re: Security vs. Simplicity Aarón Mizrachi (May 28)