Christopher Nicholls wrote:
| I couldn't agree more. Further, I think one of the most alarming trends
| developing is the movement towards "shrink-wrap firewalls" - buy now pay
| later! If ever there was an item not to be bought off-the-shelf, it's
| security. Maybe one day we will be able to use self configuring f/w
I disagree strongly, unless you agree to add the word "today,"
so that the sentence reads '...not to be bought off-the-shelf
today,...' then sure. But we need to move to a situation where new
products come with security because its one of those things that
engineers think about when building the toolkits that companies use to
build products.
Adding security on after a product is developed costs about
ten times as much as adding it during development. Adding security
after deployment is nigh well impossible. You may add client
authentication, hijack resistance, and some other stuff, but if your
application has no security, then it may not doa lot of good.
| 2) you (the consultant) are not just holding the high intelectual ground to
| prevent them from such implementations and 3) IT security is not talismans
| and incense?
You do this by making security more than talismans and incense. This
requires an engineering process that doesn't often result in things
like Biham's recent crack of X9.52. Security is not often engineered
toda, which means that management perception of it is reasonably
accurate as talismans and insense.
| A firewall is not a means unto itself - it is only the proverbial tip of
| the (security) iceberg.
ok, we can agree on this. :)
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Received on Apr 01 1998
Intro
