Applications can gain a lot of security by building on top of a lower 
layer secure communication substrate, such as that provided by IPsec 
or TLS.  Such substrates allow the application developer to make 
assumptions about the security of the basic communication path, and 
have these assumptions be valid.  Precisely the sorts of things you 
are citing as "bad" can be addressed in this way.  Fancier 
application security requires some level of customization, perhaps in 
an application-specific fashion, as you noted.


Reply via email to