I’ve been working in cyber security for nearly a decade. While I have heard all kinds of justifications for bogus ideas, today I heard a very old argument that had, in my belief, all but been removed from the understanding of even the most non-technical of industry professionals.
In response to a recent article in which Linus Torvalds recommends the use of “defense in depth,” a colleague implied since the OS is so critical he doesn’t agree with his argument.
For those not in the industry in the late 90’s and early 2000’s, this was a very common argument (of the not-so-distance past) where individuals relied solely on the security of singular entities for their entire security posture. These commonly included things like:
- The External Firewall
- Local OS Firewalls
- The Local Operating System
- Application Interfaces
The reason for defense in depth is simply that many bugs we find no one really would have thought of as security issues, until a clever person takes advantage of it. Often the bugs are taken advantage of through the use of an otherwise “trusted” attack surface. A common example is where someone has secured their Oracle Database but has not secured their web interface. An attacker is able to overcome the protections of the database by manipulating calls through a web interface’s SQL Injection Vulnerability directly.
By managing risk with diverse defensive strategies, so that a failure in one defense doesn’t prevent a full breach, you distribute the impact and severity of the risk across a greater system making it more difficult for an attacker to cause real damage without a greater degree of sophistication. The defense in depth principle may seem contradictory to the “secure the weakest link” concept, but since when it comes to redundancy in security, it is possible the sum protection offered is far greater than the protection offered by any single component.
Torvald openly admits that most of the discovered security issues within the Linux kernel have been just bugs that nobody would have thought of as a “security issue”, until a clever person is able to take advantage of it. There is much to be said about Torvalds recognition and open admittance that a completely secure system cannot exist. It’s impossible to be certain that no vulnerability exists in every layer of the software stack and that’s why it’s so important to have defense in depth. To claim otherwise, is disingenuous about your security posture at best and at worst very, dangerous “advice.” While his argument may be less comfortable to developers who like to promise hacker-proof platforms, they are just false promises. It’s much healthier to admit the limitations that exist in your systems than cling to fantasy you can somehow build a vulnerability-free system.
Torvalds can get away with such an honest statement because he doesn’t have a company’s image to promote. It’s disappointing that more industry executives can’t openly admit it without fear of damage to the corporate image.