On Wed, 6 Feb 2013, Marc Grober wrote:
> Since old farts are opining....
<grumble>
> On Feb 6, 2013, at 11:05 AM, Arthur Corliss <acorliss@nevaeh-linux.org> wrote:
>
>> Leaving security & auditing to the programmers would be a horrible mistake.
>
> Security is a matter of philosophy, not science and engineering in a sense is anathema to an adequate appreciation of the subject. A firm I worked actually paid for a security analysis, which simply ignored a hole that, as I suggested to the IA, a high school kid could back a van through.
I sit on both sides of this. I agree that philosophy should be the
cornerstone of a development project, but the technical is just as
important. It is only through a thorough understanding of the engineering
of the platform that you can effectively practice your philosophy.
> SAs are invariably (and rightly) cast as Zeno's Achilles, and while that is no reason to throw in the towel and get in the tub with Archimedes, lol, it should give one pause to ponder.....---------
Now that's a good classical education, folks. Throwing Zeno's paradoxes
into the face of us rubes. ;-) That said, I would counter that you don't
have to chase the tortiose 80% of the time. The biggest truism in security
isn't in being ready to deflect specific attacks, it's being prepared to
defend types of attacks.
Of course, with all the web crap going on these days I'm finding it much
easier to defend a box from unauthorized access than it is keeping web app A
from being abused in disclosing too much data on the box...
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Feb 6 14:57:05 2013
This archive was generated by hypermail 2.1.8 : Wed Feb 06 2013 - 14:57:05 AKST