XSS: it's a feature, not a bug?

 Thomas H. Ptacek pointed out this thread over at 37signals, begging the question "which of the 37 signals it the one for FAIL?".

Leaving your products open to abuse and exposing your users to attack is not being a good net citizen.  I am not one of those people who detests the Web 2.0 world- I actively embrace it, I just think fundamental security awareness and responsiveness need to be a part of the system.  And maybe have some concern and respect for your customers.

These posts at the Matasano blog dig deeper into the underlying issues:

http://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/

http://www.matasano.com/log/1067/web-20-redux/

 

Jack

Defense in Depth?

Thomas Ptacek recently opined on Twitter:

"Defense in depth is one of the great bills of goods the security industry has sold IT."

As you can imagine, this led to a lively discussion among the Security Twits- a respected member of the security community (and really smart guy) attacks a fundamental tenet of security.  At first I thought he had simply been working too long and hard and had lost it, but then I saw the key word in his pronouncement:

"sold"

Ah, this angle works for me.  As an under-funded small-business IT guy (a redundant statement, I know) I have always relied on defense in depth, and built it into any system I could.  Don't get me wrong, I paid for some of the depth, but I did not buy defense in depth.  The layers have to make sense and work together. 

Another angle which works is more theoretical. If we had fundamentally secure systems to begin with we wouldn't need (or have) an entire enormous industry dedicated to selling bandages for mortally wounded systems.

  

 

 

Wouldn't that be nice?  We could have yet another discussion about that, but that would be beating a horse which is not only dead but already processed into gelatin, dog food and glue.

 

 

 

Jack