|
|
|
|
|
|
by eldavido
4170 days ago
|
|
|
Something I used to think about during my tenure as a graduate student in computer security: has anyone written the definitive book/study/dissertation on why security incidents happen? As mentioned elsewhere in this thread, it's a very complex problem involving operational, economic, and technical factors, suggesting (as others have mentioned) it's not something that really can be "sold". Watching bugtraq for a while, I saw a lot of pure tech exploits (buffer overflows, SQL injection, other silly things like that) but also quite a lot of misconfiguration -- insecure passwords, lack of an enforced password policy, employees leaving the company without revocation of their credentials, etc. Maybe a good commercial opportunity would be policy compliance checking tools. Imagine a simple policy like "the corporate network should not be accessible from the outside world". Would it be possible to check all firewalls/routers/NATs/etc. for compliance with this policy? |
|
|
Web applications are not the same way. For example, enforcing policy restrictions between users of different permission levels suddenly becomes a custom project depending on what each user can do, what the application does, what functionality is mapped to different permissions, etc...it is not as simple as whitelisting. It is highly contextual.
Unfortunately, web applications are also where most vulnerabilities are found, not the network (at least not anymore).