Saturday, March 08, 2008
Network folks need to realize that there time has come and gone when it comes to securing the modern enterprise. The enterprise is porous as we put more and more web applications on the Internet by exposing them over Port 80 (or 443). Reality says that there is only so much a firewall can possibly do to protect an application and that a better strategy may be to instead figure out how to make the applications protect themselves.
From the network centric view, they are skeptical on the ability of software developers to write secure code. At some level, I agree with this notion. The problem I see is that in order to understand the problem of security, one needs to understand that security isn't just a network problem.
Real security professionals can understand what needs to occur from layer one to layer seven. The so-called network security professionals aren't really security professionals at all and simply are gratuitous network hygiene professionals.
If Jim were to do one thing to help make security better, he would encourage the network crowd to attend user groups such as OWASP and help IT executives understand that security isn't just a network thing but also requires the folks doing software development to write code securely...