« New Class on Cloud Security at Usenix LISA | Main | Chuck E. Cheese's Authorization Protocol »


Andre Gironda

Yeah. Null route the FATF Blacklist at border routers, set up some minimal ACLs (using receive ACLs to track actual issues works better for security purposes than deny+log in a lot of situations), and you're done! (please see Marty Chang for the "and you're done" reference if you're in the mood for really bad humor).

Certification and accredidation of every system/app is a bit difficult when none have attained this status in a large organization. However, the CIS Benchmarks can be fairly well automated (both initial configuration and later verification and audit).

There are plenty of known-good ways of becoming CIS (or near CIS) efficient using standard tools (almost the OPPOSITE of that dailydave post -- imagining a network as an extremely intelligent adversary would and then using those same tools defensively is a good idea, no?). However, CISecurity could use the money for contributing organizations to be a member and get access to their great insider stuff, such as CIS-CAT, et al.

When building your own apps, organizations should consider using and contributing to OWASP in the same way. I bet investing in these organizations would certainly be a good place to spend all of that money you would have otherwise put towards Firewall, IPS, et al.

The industry focus on Qualys, nCircle, Foundstone, GFI, Rapid7, and/or Tenable for vulnerability assessment/management "products" may also be short-sighted. The app pen-test / appsec consulting service orgs are quickly snatching up all relevant intellectual capital around performing good/realistic assessments. And even somewhat unfortunately, the CEH and LPT certs (or any equivalents including OffSec OSCP) don't make a qualified individual to perform these assessments.

The problem really comes down to finding and retaining qualified people (i.e. NOT CISSPs), and moving/shaping their opinions/beliefs through the use of strategic trusted advisers (i.e. experts measured by the work they've done through REFERENCES, not book covers or blog hits). Regular business process outsourcing suggests in-housing 20-80 percent of "core" business, and outsourcing 20-80 percent in 20 percent increments, with redundant providers.

Speaking of which, I've heard praise of a few managed firewall providers in the case you do want to keep those clunky doorstops around.

If everyone could afford to hire Jordan and Kasparov, they would do so. Cloning humans isn't quite yet legal and it will probably never be ethical. So the replacement is to hire Jordan at least one month a year for 20% of a company's core beliefs and Kasparov the same. The trick is to find a full-timer who will listen and internalize tactics & strategies for playing ball & chess at the level of complexity that Jordan/Kasparov do.

Michael Janke

So there are attacks that bypass firewalls. That's well known. I fail to see how that negates the value of a firewall. All that really means is that a firewall is necessary, but not sufficient. Nothing new there.

Secure application design/coding fails exactly the same way. In the absence of a firewall, host hardening, database hardening. etc, anything that any app developers does is trivially easy to bypass. We know that because prior to the recent focus on applications, the platforms were the target, the platforms largely failed to resist attacks, and firewalls largely mitigated that attack.

The app security that you trumpet therefor falls under the 'necessary, but not sufficient' umbrella just like firewalls.


firewall = glorified router.

Rob Lewis

You're making a great case for scalable MLS and mandatory access controls, starting at the core. Thanks.

Deborah Volk

Really liked the post. My thoughts along the same axis are here: http://www.identigral.com/blog/2009/09/17/no-app-is-an-island

The comments to this entry are closed.