Comments on: The Mobius Defense – An Impetus for Application Security

By: Heikki Toivonen

Heikki Toivonen — Sat, 11 Jul 2009 20:45:48 +0000

I don’t think defense in depth is completely dead concept. The outer firewall deters some attackers, some other layers deter some others and so on. Still, a determined, or lucky adversary may still find a direct path like described of course.

Also, I think defense in depth in application design still works. For example, the Firefox web browser stores profile information in random directory. There have been potential attacks that were thwarted because the attacker would have needed to know the absolute profile directory for the attack to work. Of course there have also been bugs that allow the attacker to run arbitrary code regardless of the randomized profile location, but that does not mean the random profile location is useless.

By: Pete Herzog

Pete Herzog — Thu, 02 Jul 2009 11:01:31 +0000

I explained to Tyler and some others, that this presentation, like any other type of factual information provided, is done so for those who believe something which is proven not true. Often those who already know are not illuminated which is why I threw in the humor and the pseudo-factoid about the A-team to keep those people from falling asleep. But to take it one step further at the end, unfortunately with not enough time to devote to it, I tried to create an easy plan for getting to the Möbius Defense from a DiD model. Again, those who are aware of false trusts, melting perimeters, and the infosec space being full of broken concepts that have become mantras, and shady histories, can at least use it to help them make their point to others who might still be grasping at the expired model.

I’ll be releasing the “making of” soon with full commentary. Theres already the after-presentation podcast already available at http://www.madison-gurkha.com/en/gurkhast.php but I do sound tired, which I was, having it been a long day and a surprise interview. So please be kind when listening.

By: Phil

Phil — Wed, 01 Jul 2009 23:25:43 +0000

Let’s start with proper stateful firewalls on every networked host.

IPTables, anyone?

Yes, once again, the *n*x philosophy is proven to be the right one.

By: Tyler Shields

Tyler Shields — Wed, 01 Jul 2009 14:15:35 +0000

@Antonio – What’s interesting with this model is, when pressed to the forefront, it really emphasizes the need for application level security assessment more than ever. If the degradation of the perimeter is reality, then the application layer becomes the primary target for security regardless of the other layers put in place.

By: Antonio

Antonio — Tue, 30 Jun 2009 19:06:22 +0000

It was a good read – but not particularly illuminating for me. I guess I’ve always considered this defensive mindset as a natural extension of defense in depth.

I’ve always worked at small companies ( <3000 servers) but I’ve always started at the perimeter and eventually backed up until I considered every server as it’s own island. Which naturally leads to thinking very carefully about trust relationships, etc.