[lmm]

> Security by obscurity is a very valid defense-in-depth measure.

No it isn't. The whole notion of "defense-in-depth" generally does more harm than good IME, as it creates confusion about where the actual security boundaries are.

> Speaking of logging, Log4shell is yet another example. The most ubiquitous libraries in use. Used everywhere by some of the largest tech companies in the world, that all have the largest and most well-budgeted security organizations.

log4j2 was widely disliked and rarely used, IME.

[netwo233gur]

>No it isn't. The whole notion of "defense-in-depth" generally does more harm than good IME, as it creates confusion about where the actual security boundaries are.

The security departments of multiple FAANGs, not to mention security experts, completely disagree with you.

>log4j2 was widely disliked and rarely used, IME.

Tell that to the tens of thousands of FAANG engineers who worked all weekend remediating the hundreds of thousands (not exaggeration) instances in their companies where it is in use.