Dear Felix, While I love your comment and really welcome constructive criticism, I actually think you should keep the focus on the Fox News style question marks. Nowhere is being said that this is the end of Defence in Depth (as a paradigm), we ask the question. Then again you seem to be judging about something you haven't seen nor read. Is this because I ask the Fox News style questions and you give Fox News style comments ? FFL> the title is misleading at best. While I have the upmost respect of your person, in this particular case, I am sorry dude, but how can you tell ? Have you seen the presentation? Have you heard the conclusion? I don't think so? Though you are more than welcome to see it :) FFL> Defense in Depth has nothing to do FFL> with security software. In a certain sense it has. Defence in depth is a Paradigm as not only applied to how you design software but also how you implement solutions. The talk is about reality, not an RFC or CISSP Definition. FYI, while certainly not a reference, here is what Wikipedia has to say: "Defense in Depth is an Information Assurance (IA) strategy where multiple layers of defense are placed through out an Information Technology (IT) system and addresses personnel, technology and operations for the duration of the system's lifecycle." http://en.wikipedia.org/wiki/Defense_in_Depth_(computing) FFL> To the contrary. The paradigm describes an FFL> approach where you assume that invidual (even multiple) elements of your FFL> defense fall, in the worst possible way (which could be code FFL> execution). Thank you for the definition, though I must let you know I am fully aware of it. (I miss an mandatory RFC link) The presentation will talk of exactly that "...assume.. multiple elements of your defense fall" What currently is being done in the industry is to ADD more layers of defence to protect against one failing, this is being done by adding one parsing engine after the other. Again nobody said Defence in Depth is wrong in itself, it's just the way the Software Industry has led companies to implement it. _This_ is the point. Don't get me wrong, defence in depth as general Paradigm is perfectly fine :) But you would have had to listen to the talk to draw that conclusion, this is what I find most irrating about your comment. And it raises a big question mark as to your motivation for this public comment. FFL> What you are describing is people adding security software FFL> _instead_ of applying a thorough defense in depth design. I am describing nothing Felix, you are judging about a Presentation _you have not even seen_. How dare you !!! ==)))) FFL> Your presentation title suggests that one of the very few paradigms FFL> that actually promises long term security benefits does not work. Felix I am suggesting nothing, your are taking a friendly invitation as reason to bitch about how you THINK the talk will be given, though you have no clue. FFL> Wrong. I suggest you find a better title. Zu befehl ! =) The title fits the presentation perfectly, I find it rather arrogant and bloated to comment in this way and fashion on a public mailing list. I welcome any other comment to my personal Inbox, Phone, Fax whatever, I will ignore any other comment by public means before the actually talk was given and there is actual substance to start a discussion. I would have loved to receive a question before you shoot. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
