Christopher Nicholls wrote: | I couldn't agree more. Further, I think one of the most alarming trends | developing is the movement towards "shrink-wrap firewalls" - buy now pay | later! If ever there was an item not to be bought off-the-shelf, it's | security. Maybe one day we will be able to use self configuring f/w I disagree strongly, unless you agree to add the word "today," so that the sentence reads '...not to be bought off-the-shelf today,...' then sure. But we need to move to a situation where new products come with security because its one of those things that engineers think about when building the toolkits that companies use to build products. Adding security on after a product is developed costs about ten times as much as adding it during development. Adding security after deployment is nigh well impossible. You may add client authentication, hijack resistance, and some other stuff, but if your application has no security, then it may not doa lot of good. | 2) you (the consultant) are not just holding the high intelectual ground to | prevent them from such implementations and 3) IT security is not talismans | and incense? You do this by making security more than talismans and incense. This requires an engineering process that doesn't often result in things like Biham's recent crack of X9.52. Security is not often engineered toda, which means that management perception of it is reasonably accurate as talismans and insense. | A firewall is not a means unto itself - it is only the proverbial tip of | the (security) iceberg. ok, we can agree on this. :) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:53:57 PDT