I respectfully disagree.

The need for a firewall or IDS is due to the poor coding of the receptor of
network traffic - so you have to prevent bad things from reaching the
receptor (which is the TCP/IP stack and then the host operating system - and
then the middleware and then the application).

The reason you have to prevent bad things from reaching the receptor (OS) is
because of poor coding practices in the receptor (OS).

In terms of state diagrams - you have an undefied state in the code - which
produces unpredictable actions.  Technically speaking, it's undesireable but
predictable actions - that's how the software can be used to gain
unauthorized entry.  And once someone finds the hole - the very mechanism
used for protection (networks) is used to spread the story.  Kind of like
the farmer eating his seed corn.   :)

Regarding roles - there are many who do Infosec - in many different roles.
Law makers, lawyers, Boards of Directors, management, policy staff,
technical staff, network engineers, programmers, quality assurance staff,
users, ethical hackers, unethical hackers, et al.

I'm not sure we're moving the industry forward by trying to say "I am one"
but "You are not" - are we?

Mike Hines
Michael S Hines

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to