The “Mobius Defense” is a somewhat novel defense model proposed by Pete Herzog, founder of ISECOM and lead author of the Open Source Security Testing Methodology Manual (OSSTMM). Before continuing to read the following post I suggest you take a few minutes and breeze through the slide deck linked here. It’s an easy and interesting read so get to it…

Mr. Herzog suggests in this presentation that the “Defense in Depth” strategy, with regards to network defense, is ineffective and antiquated, and needs to be replaced with a new and updated defense model. His proposed model is called the “Mobius Defense”.

The basic tenet of this defense is one in which each individual asset should be protected as if it were the only asset in the model as opposed to forming lines of defense to secure the entire asset base as a whole. Two important facets are stated in his presentation:

  • Network security is a zero sum game in which a single compromise is all that is required to “win”
  • The network perimeter is truly nonexistent

If we take the above two statements to be true, then there really are no clearly defined lines of defense in which we can accurately create a defense in depth model and instead we should secure the individual asset by limiting its in and out dataflow, minimizing trust, and implementing a minimal interconnectedness policy across the board. Distilled, the Mobius model creates a network security design that disregards network boundaries and theoretical demarcation lines in favor of “guerilla defense” in which every actor fends for themselves.

So what does this mean for the application security landscape? If what Mr. Herzog presents is reality, then the application layer truly is the last, and best, line of defense (pardon the pun). With the degradation of the network perimeter, thanks in part to the iPhone, Blackberry, Web Browser, and other assorted peripherals and client based designs; there is a new found urgency to secure each individual network touch point to the best extent possible. It’s with this urgency in mind that application security assessments should move upward in the prioritization of security spending. While I don’t suggest that defense in depth should go away and die, I do suggest that we should focus on securing the most common target of attack, the application layer. If the paradigm of the network has changed shouldn’t our defense models change as well?

Veracode Security Solutions
Veracode Security Threat Guides

About Tyler Shields

Tyler Shields is a Senior Researcher for the Veracode Research Lab whose responsibilities include understanding and examining interesting and relevant security and attack methods for integration into the Veracode product offerings. He also keeps track of new developments from other computer science and information security researchers to ensure that Veracode technologies are always kept in line with the most recent security advancements.

Comments (5)

Antonio | June 30, 2009 2:06 pm

It was a good read - but not particularly illuminating for me. I guess I've always considered this defensive mindset as a natural extension of defense in depth.

I've always worked at small companies ( <3000 servers) but I've always started at the perimeter and eventually backed up until I considered every server as it's own island. Which naturally leads to thinking very carefully about trust relationships, etc.

Tyler Shields | July 1, 2009 9:15 am

@Antonio - What's interesting with this model is, when pressed to the forefront, it really emphasizes the need for application level security assessment more than ever. If the degradation of the perimeter is reality, then the application layer becomes the primary target for security regardless of the other layers put in place.

Phil | July 1, 2009 6:25 pm

Let's start with proper stateful firewalls on every networked host.

IPTables, anyone?

Yes, once again, the *n*x philosophy is proven to be the right one.

Pete Herzog | July 2, 2009 6:01 am

I explained to Tyler and some others, that this presentation, like any other type of factual information provided, is done so for those who believe something which is proven not true. Often those who already know are not illuminated which is why I threw in the humor and the pseudo-factoid about the A-team to keep those people from falling asleep. But to take it one step further at the end, unfortunately with not enough time to devote to it, I tried to create an easy plan for getting to the Möbius Defense from a DiD model. Again, those who are aware of false trusts, melting perimeters, and the infosec space being full of broken concepts that have become mantras, and shady histories, can at least use it to help them make their point to others who might still be grasping at the expired model.

I'll be releasing the "making of" soon with full commentary. Theres already the after-presentation podcast already available at but I do sound tired, which I was, having it been a long day and a surprise interview. So please be kind when listening.

Heikki Toivonen | July 11, 2009 3:45 pm

I don't think defense in depth is completely dead concept. The outer firewall deters some attackers, some other layers deter some others and so on. Still, a determined, or lucky adversary may still find a direct path like described of course.

Also, I think defense in depth in application design still works. For example, the Firefox web browser stores profile information in random directory. There have been potential attacks that were thwarted because the attacker would have needed to know the absolute profile directory for the attack to work. Of course there have also been bugs that allow the attacker to run arbitrary code regardless of the randomized profile location, but that does not mean the random profile location is useless.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.