Secure Coding mailing list archives
Darkreading: compliance
From: jms at bughunter.ca (J. M. Seitz)
Date: Wed, 4 Apr 2007 08:38:38 -0700
For many shops, having another type of firewall could cost millions whereas putting tools in the hands of developers may actually be cheaper. We as a community may be better served by encouraging application firewalls and letting the financial model for complying work in our favor...
I definitely agree, and I strongly disagree with Gary that application firewalls are "hair brained" solutions. It's always my feeling, and I try to put this into practice in my current role, is that security is a multi-layer approach. From secure coding practice in development, proper QA cycle and regression testing, deployment security touchpoints, and finally adding the extra layer on the top is putting application layer firewalls in place, which if we ever have a 0-day style vulnerability it's very quick to throw in a rule to protect it, and begin working on a patch. Now I know that your consulting business relies on you promoting "security from the inside" but are you saying that application firewalls are pointless and we should stop using them? Or are you saying that it's rediculous that we ever got to the point where applications are so insecure that we need a transaction-per-transaction inspection mechanism to make sure the bad guys aren't getting us? You may want to clarify this a little bit for us sec-newbs.... JS
Current thread:
- Darkreading: compliance McGovern, James F (HTSC, IT) (Apr 02)
- <Possible follow-ups>
- Darkreading: compliance Gary McGraw (Apr 04)
- Darkreading: compliance McGovern, James F (HTSC, IT) (Apr 04)
- Darkreading: compliance J. M. Seitz (Apr 04)
- Darkreading: compliance Dinis Cruz (Apr 04)
- Darkreading: compliance bugtraq at cgisecurity.net (Apr 04)
- Darkreading: compliance McGovern, James F (HTSC, IT) (Apr 04)