Security Basics mailing list archives
RE: Security vs. Simplicity
From: "Craig S. Wright" <craig.wright () Information-Defense com>
Date: Tue, 26 May 2009 07:14:43 +1000
Sites such as Facebook suffer not from complexity, but rather from the model used in their creation. These Web 2.0 Agile based code structures (commonly Ruby based frameworks) are most often derived from a Test After or "Tad too late" model. The Model, View Controller framework used in Ruby is a good framework, but it also simplifies the coding process such that less experienced coders are used - those without the necessary security coding skills. Your "simple" network is in fact far more complex than many larger systems. In your example, you have touted an Integrated Firewall. Far from simplifying the issue, a single host with all in one features is extremely complex. Far more so than 6 individual system (IPS/IDS/Firewall/AV/Logging/Router) based networks. The integration of functions on a single host increases the attack footprint and likelihood of error. ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stephen Mullins Sent: Sunday, 24 May 2009 7:56 AM To: dan.crowley () gmail com Cc: security-basics () securityfocus com Subject: Re: Security vs. Simplicity That argument doesn't really hold up in the context of this conversation. A "simple" network from both an ops and security perspective might have a single router with integrated firewall and that's it. No DMZ, no IDS etc. Adding a DMZ, redundant routers, multiple firewalls from different vendors, and IDS sensors etc. all of a sudden makes your network much more complex, and much more secure from a defense in depth perspective. The defense in depth strategy does not lessen security but rather puts more road blocks in the way of an attacker. On Fri, May 22, 2009 at 9:49 AM, <dan.crowley () gmail com> wrote:
I'd like to challenge your original assumption that security and
simplicity are inversely related (ie: more of one means less of the other)
I have a concrete block. It is my computer. It is very simply designed. I
dare you to find a vulnerability in my computer. (A silly example, perhaps, but it makes my point)
In fact, with complexity ALWAYS comes more security problems. Take social
networking sites as an example. You'd think that sites as large as MySpace with dedicated IT folks working on it might have some pretty good security, but its track record has really sucked. Why? Because there's SO MUCH ATTACK SURFACE.
In addition to complexity providing more places to launch attacks (attack
surface) you also will likely have less of an ability to perceive possible flaws in a more complex system, leaving it up to a future attacker to do so. ;)
Given that complexity makes security harder, focus on the simplicity
first, as it will make life easier for everyone, especially your security engineer.
I'd also like to add that adding security as "an extra layer" sounds like
bad security to me if that's the only place security is going. Security is a property, not a box on an inventory checklist. Upon performing pen tests in the past, nearly all of what I see is "M&M security". One hard, difficult to break outside layer, and soft, sweet innards.
Good luck in building your infrastructure! -- Dan Crowley "One machine can do the work of fifty ordinary men. No machine can do the
work of an extraordinary man."
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Re: Security vs. Simplicity, (continued)
- Re: Security vs. Simplicity Daniel Miessler (May 22)
- Re: Security vs. Simplicity aaa (May 19)
- RE: Security vs. Simplicity Craig S. Wright (May 22)
- RE: Security vs. Simplicity Stefan Marksteiner (May 20)
- RE: Security vs. Simplicity Marksteiner, Stefan (May 20)
- Re: Security vs. Simplicity krymson (May 20)
- Re: Security vs. Simplicity shailesh . sf (May 21)
- Re: Security vs. Simplicity dan . crowley (May 22)
- RE: Security vs. Simplicity Jason Hurst (May 22)
- Re: Security vs. Simplicity Stephen Mullins (May 25)
- RE: Security vs. Simplicity Craig S. Wright (May 26)
- Message not available
- Re: Security vs. Simplicity Daniel Miessler (May 28)
- Message not available
- Message not available
- Re: Security vs. Simplicity Aarón Mizrachi (May 28)