I respectfully disagree.
The need for a firewall or IDS is due to the poor coding of the receptor of
network traffic - so you have to prevent bad things from reaching the
receptor (which is the TCP/IP stack and then the host operating system - and
then the middleware and then the application).
I'm gonna have to go ahead and disagree with you, there, Michael. You're
looking at things far too narrowly. And here's a very simple example:
Small business. Single DMZ. Hosts DB and Web App on separate platforms.
Web app needs to make back-end calls to DB. There's no reason whatsoever
why
[EMAIL PROTECTED] writes:
certifications such as CISSP whereby the exams that
prove you are a security professional talk all about
physical security and network security but really don't
address software development in any meaningful way.
Perhaps what is needed is a separate certification.
Ken, in terms of a previous response to your posting in terms of getting
customers to ask for secure coding practices from vendors, wouldn't it start
with figuring out how they could simply cut-and-paste InfoSec policies into
their own?
-Original Message-
From: [EMAIL PROTECTED]