Raising the Bar

I often hear technologies or controls disregarded on the basis of  “It can’t protect against X scenario.” or “It doesn’t completely protect me.”

For example, take a web application firewall. It can be boiled down to a regex, and possibly some fancy behavior analysis. It CAN be subverted. Encoding, session splicing, other types of evasion can defeat them.

That’s not to say technologies and products shouldn’t strive for more. It’s just accepting the reality of the situation that you can’t completely control your environment.

It’s not about creating a perfect defense. It’s about raising the bar.

Security only works as a process, only as defense-in-depth. There is no silver bullet that can protect against all scenarios. Everything breaks when its assumptions are violated.

The whole security industry is wrapped up in an arms race. As soon as you add another layer of protection, an attacker is forced to work that much harder, and they will.

The question becomes, does the arms race ever end? (Hopefully not. It’s paying my bills.)

Smarter people than i have written about this.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s