Re: Media Excitement!

[robert () dyadsecurity com]

Kohlenberg, Toby(toby.kohlenberg () intel com)@Thu, Apr 21, 2005 at 12:21:57PM -0700:
> There will always be flaws in software, no matter how hard people try
> to write good code, so do we just try to minimize patching or are you
> actually suggesting that patching shouldn't be necessary at all?

Patches are necessary.  Holes need to be pluged.  However, if the
systems have adequate security mechanisms in place the rush to patch
would not be as time critical.  A security bug in a running software
module should not lead to a total compromise of the system.

We have been trying (unsuccessfully) to fit a square peg into a round
hole.  CAPP/DAC systems are not meant to stand up to directed malice. 
Without a policy, you can not have a policy violation.  Without a
full-time fine grained mandatory enforced policy (reference monitor
concept), you might as well not have a policy at all.  Where there is
discretion, there is the potential for violation of the non-enforced
policy.  You can not model a non-enforced policy.

Also, adding mechanisms after the fact to a faulty security base is
invalid.  Building a castle on a foundation of quicksand isn't wise. 
But that's what we do.  I guess that's what customers are demanding...
the whole practice just seems odd.

"What we have here is a failure to communicate" :).

What I mean to say is, "Defence in Depth" works.  We use at least 7
firewalls from 4 different vendors (gateway and host based).  Two host
level anti-virus and a gold corporate edition gateway anti-virus
program.  Also our IPS makes us immune to all attacks (known and
unknown). .....

Damn it, why does my website now say:
"Hacked by chinese!"

Robert

-- 
Robert E. Lee
CEO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave