I respectfully disagree. The need for a firewall or IDS is due to the poor coding of the receptor of network traffic - so you have to prevent bad things from reaching the receptor (which is the TCP/IP stack and then the host operating system - and then the middleware and then the application).
I'm gonna have to go ahead and disagree with you, there, Michael. You're looking at things far too narrowly. And here's a very simple example: Small business. Single DMZ. Hosts DB and Web App on separate platforms. Web app needs to make back-end calls to DB. There's no reason whatsoever why
[EMAIL PROTECTED] writes: certifications such as CISSP whereby the exams that prove you are a security professional talk all about physical security and network security but really don't address software development in any meaningful way. Perhaps what is needed is a separate certification.
Ken, in terms of a previous response to your posting in terms of getting customers to ask for secure coding practices from vendors, wouldn't it start with figuring out how they could simply cut-and-paste InfoSec policies into their own? -Original Message- From: [EMAIL PROTECTED]