From: Florian Weimer (fwdeneb.enyo.de)
Date: Mon Jul 11 2005 - 18:59:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Gadi Evron:

> Let's try and not confuse things though -
> If you do use two (or more) products, it is true you are now vulnerable
> with both of them. However, you are also now more secure in the event
> one fails.
>
> If the two "whatevers" are of the same type, the likelihood of the
> second fallowing the first and.. dying (if you're lucky) is extremely
> high (or more so than with two of different types).

I strongly believe that vulnerabilities in firewall and application
software are not statistically independent. (Obviously, I don't have
hard data because disclosure in this area is certainly not industry
standard practice.) But since roughly the same people write both
kinds of software, using similar tools, and similar development
constraints, I can't believe that the outcome is that much different.

Most vendors even reuse code from their applications in their security
products.

> However, there is one problem that we face which really scares me, and
> that is the menace of having a monoculture.
>
> One bug, and we're all dead. One bad patch, and we're all dead.

*shrug*

In an attempt to aid diversification of client operating systems, we
have built a new web-based monoculture. Look at how popular browsers
deal with cross-site requests. All your perimeter defenses are
worthless if you connect everything inside one application, the web
browser.

And guess what? Nothing has happened. This issue has been known for
at least five years. It's even documented in some RFC (not the
monoculture part, but the cross-site aspect.)
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]