security in obfuscation one refers to a situation where obfuscation is the
sole security measure in an environment that requires some hard core
security. Bottom line is, obfuscation provides some limited security and is
not recommended as the sole security measure in say a bank. Also one can
start a new thread about different methods of obfuscation and their
respective benefits in security context.
I think application security should be loosely defined as a method of making
it difficult for the attacker to get information that is secured by it. How
difficult (resource wise) do you want to make it for the attacker is up to
you. Obfuscation alone might just not make it difficult enough for the
attacker to get to your sensitive data in some cases.
TK
[Tom Kitta] -----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 4:24 PM
To: CF-Talk
Subject: RE: RE: RE: Securing CF Apps.
> I used to work with a security/cryptology expert. His #1 rule:
>
> "Never, ever use obfuscation".
While I wouldn't categorize myself as a security expert, much less a
cryptologist, I would disagree with this. At the very least, I'd amend it
to
"Never, ever use obfuscation as your sole method of security."
There is nothing wrong with "security through obscurity", as long as you
don't rely on it as your only protection. I would draw an analogy between
computer security and getting shot at. When you're being shot at, there
are
two sorts of protection you might resort to. You might take cover by
getting
behind a solid object that can block fire. You might conceal yourself
behind
something that would obscure you as a target. When you're getting shot at,
cover and concealment are both useful; concealment won't stop a bullet,
but
it'll lessen the likelihood of people shooting in your direction. Ideally,
you want both cover and concealment, of course, if for no other reason
than
to avoid the stress of being shot at.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
