On Mon, Apr 28, 2014 at 11:02 AM, Derick Winkworth <ccie15...@gmail.com> wrote: > It's the antithesis of actual engineering. Data flow specs are long gone > because there is an assumption that reachability will exist. People install > products with no idea what traffic is actually flowing in and out of the > "box" (be that hardware or software).
It's unfortunate that this behavior has been taking over all engineering for some decades now though - I'm not sure it's IT specific. Certainly the early decisions of major aerospace systems like the F22/F119 and F35/F135 have played out this way too. > On Mon, Apr 28, 2014 at 8:24 AM, Meredith L. Patterson <clonea...@gmail.com> > wrote: >> >>> Do you consider accepting only a safe subset of a language a proper >>> course of action? >> >> That was pretty much the exact point of Dejector, which defined a "safe >> subset" of SQL as "the subset of rules necessary to generate the queries the >> developer expects the application to generate under correct operation." So we've gone application protocol proxying --> shallow packet inspection --> DPI --> WAF --> etc. and collapse again. There seems to be an industry argument that to make "this" work it has to be done at the perimeter and I think that's proven to be anything from true (also near impossible). And we already know what happens when we bring it all back closer to the data - it falls over again. So aren't you (or the "we") making the same argument we know won't ever actually happen? This is a long winded way of saying I think we are still missing the economic motivators of this (financial and resource). If we can't plot the value of such engineered solutions against marketing, lawfare, PR, etc. that all maintain market. Then what's the point for the consumer (in this case developers, operations, and stability)? This isn't exclusive to IT - which is what worries me. Clearly "everyone else" sees economics of it differently than we do - and they're (so far) proven right. How do we get ahead of that since we ~know~ they're eventually catastrophically wrong? -Ali _______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
