Friday, August 28, 2009

Don't invert your security!

The most striking lesson I think that anyone can take from the recent apache compromise is this:

The more secure zone should have credentials for the less secure one, not the other way round, and the more secure zone should be responsible for controlling the processes that it is involved in.

This way the less secure zone doesn't have any influence over your more secure stuff.

If you, like me, spend your days making systems interact with one another this is reasonably fundamental stuff. But for those who aren't so paranoid its a lesson well worth heeding.



Labels: ,

Comments:

blog comments powered by Disqus

I know nothing, I'm not a fortune teller, and you'd be insane to think that I am. This disclaimer was cribbed from an email footer I once received. It is so ridiculous I had to have it for myself.

Statements in this blog that are not purely historical are forward-looking statements including, without limitation, statements regarding my expectations, objectives, anticipations, plans, hopes, beliefs, intentions or strategies regarding the future. Factors that could cause actual results to differ materially from the forward looking statements include risks and uncertainties such as any unforeseen event or any unforeseen system failures, and other risks. It is important to note that actual outcomes could differ materially from those in such forward-looking statements.

Danny Angus Copyright © 2006-2013 (OMG that's seven years of this nonsense)