Paul
Please see comments inline
-----Original Message-----
From: Paul Johnston [mailto:paul@westpoint.ltd.uk]
Sent: Wednesday, February 23, 2005 7:52 AM
To: Mark Curphey
Cc: webappsec@securityfocus.com
Subject: Re: ISA Server and SQL Injection
Mark,
From your tone I get the impression you've had enough discussing this!
I'll be as brief as possible :-)
Curphey> No tone, just type fast ;-)
I think what we're actually disagreeing about is the meaning of
"firewall". You're considering the practical meaning, i.e. a TCP/IP
filtering device. I'm considering the logical meaning, i.e. a device
that filters an interface based on rules. I think that answers your
concerns of this being "architecturally wrong".
Curphey> Agree
As for you saying "No I am saying build secure software", the essence of
the meaning is the same as "just get the code right". The attitude
behind both these statements is "we must get it right". What if,
instead, the attitude was "we must account for the fact that sometimes
we get it wrong"? If you take this onboard, many imperfect protections
start to look more attractive.
Curphey> Building secure software IMHO is not just about getting the code
right. I think any good system should be designed to handle failure. That
goes from structured exception and error handling through to
compartmentalizing and restraining components. The crux of it is that
software IMHO has to protect itself.
All the best,
Curphey> And you ;-)
Paul
--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
