RE: ISA Server and SQL Injection

["Mark Curphey" <mark () curphey com>]

Paul

Please see comments inline

-----Original Message-----
From: Paul Johnston [mailto:paul () westpoint ltd uk] 
Sent: Wednesday, February 23, 2005 7:52 AM
To: Mark Curphey
Cc: webappsec () securityfocus com
Subject: Re: ISA Server and SQL Injection

Mark,

 From your tone I get the impression you've had enough discussing this! 
I'll be as brief as possible :-)

Curphey> No tone, just type fast ;-)

I think what we're actually disagreeing about is the meaning of 
"firewall". You're considering the practical meaning, i.e. a TCP/IP 
filtering device. I'm considering the logical meaning, i.e. a device 
that filters an interface based on rules. I think that answers your 
concerns of this being "architecturally wrong".

Curphey> Agree

As for you saying "No I am saying build secure software", the essence of 
the meaning is the same as  "just get the code right". The attitude 
behind both these statements is "we must get it right". What if, 
instead, the attitude was "we must account for the fact that sometimes 
we get it wrong"? If you take this onboard, many imperfect protections 
start to look more attractive.

Curphey> Building secure software IMHO is not just about getting the code
right. I think any good system should be designed to handle failure. That
goes from structured exception and error handling through to
compartmentalizing and restraining components. The crux of it is that
software IMHO has to protect itself. 

All the best,

Curphey> And you ;-)

Paul

-- 
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk