Shostack + Friends Blog Archive

 

What If The Hokey Pokey Is What It's All About?

I’ve always thought that folks in operation security and product security had a whole lot to learn from each other. Unfortunately for the product security people, they now also get to learns about the pain of vendors swooping down on them trying to sell them the latest and greatest crap.
Last night, Mary Ann Davidson shared her spot on opinion of automated testing tools. Her post (go read it now) can be best summarized by this paragraph:

f you are scratching your head saying, “But didn’t you rhapsodize over automated tools in a previous blog entry?,” you are right, I did. But there is a big difference between “this tool helps us do good things in security as one among many good things to do” and “this tool is a substitute for all the other things you need to do to create secure products.”

As operational folks have had the joy of learning over and over again, there are no silver bullets. Firewalls didn’t do it (either as network or host based devices), IDS didn’t do it, IPS isn’t that much of an improvement and AV is only helpful after the fact. Are all these useful as part of a larger strategy?
It’s all about defense in depth and it doesn’t matter if we’re talking about about product security, physical security or operations security. There is no magic button and there are no silver bullets. Don’t believe the hype.