[nycphp-talk] Basic security question
Tim Gales
tgales at tgaconnect.com
Wed Jul 14 16:10:42 EDT 2004
Paul Reinheimer writes:
> Subject: [nycphp-talk] Basic security question
>
>
> Every attack wether web or otherwise I have heard about
> starts with learning as much as you can about the target's
> systems
> Knowing that, why reveal anything? Make the potential
> attacker work for every peice of information they want. Set
> the apache server string to claim it is some recent release
> of IIS...
> Does anyone see any real advantage to this approach?
>
before going down the mis-direction route, you might be
interested in reading:
http://jerry.cs.uiuc.edu/~plop/plop2002/final/mkis_plop_2002.pdf
It discusses 2 antipatterns (or patterns that are known to be
faulty or problematic) in security.
The first pattern is my personal favorite --
you can't just 'bolt on security' after the application
is built (very roughly paraphrased)
The second I would name 'what you don't know could
definitely hurt you'.
(overlooking data sensitivity classification)
T. Gales & Associates
'Helping People Connect with Technology'
http://www.tgaconnect.com
More information about the talk
mailing list