Thomas Ptacek recently opined on Twitter:
"Defense in depth is one of the great bills of goods the security industry has sold IT."
As you can imagine, this led to a lively discussion among the Security Twits- a respected member of the security community (and really smart guy) attacks a fundamental tenet of security. At first I thought he had simply been working too long and hard and had lost it, but then I saw the key word in his pronouncement:
"sold"
Ah, this angle works for me. As an under-funded small-business IT guy (a redundant statement, I know) I have always relied on defense in depth, and built it into any system I could. Don't get me wrong, I paid for some of the depth, but I did not buy defense in depth. The layers have to make sense and work together.
Another angle which works is more theoretical. If we had fundamentally secure systems to begin with we wouldn't need (or have) an entire enormous industry dedicated to selling bandages for mortally wounded systems.
Wouldn't that be nice? We could have yet another discussion about that, but that would be beating a horse which is not only dead but already processed into gelatin, dog food and glue.
Jack