Full Disclosure mailing list archives
Re: The Death of Defence in Depth ? - Aninvitation to Hack.lu
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Sat, 13 Oct 2007 03:26:21 +0200 (CEST)
On Wed, 10 Oct 2007, imipak wrote:
The problem - well, *a* problem, anyway - is that there are two contradictory axioms in infosec that are regularly cited to support or attack a particular strategy. "Defence in depth"
The lines of defense are as independent as possible. The enemy does not win unless all of them are defeated. Formally, the attacker has to satisfy a conjuction of conditions.
"A chain is only as strong as it's weakest link".
The links of a chain are dependent. The chain falls apart as soon as any of them are broken. Formally, the attacker has to satisfy a disjuction of conditions. There is no contradiction. You should try making the components of a secure system as independent as possible, and any residual dependencies should always go from less secure (and less important) components to more secure (and more important) components, never the other way. It was not difficult. Was it? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: The Death of Defence in Depth ? - Aninvitation to Hack.lu imipak (Oct 10)
- Re: The Death of Defence in Depth ? - Aninvitation to Hack.lu Pavel Kankovsky (Oct 12)