Acidus wrote:

That's quite an image, isn't it? It's ISS CEO Tom Noonan holding a silver bullet, announcing the Proventia IPS product in the October 2003 issue of ISS' Connect magazine. Raise your hand if you think IPS or anything else ISS has produced is a silver bullet. No takers?

I don't mention this to criticize ISS, specifically. Rather, I'd like to emphasize the importance of proper frames of reference when considering security.

HAHA! I've enjoyed Richard Bejtlich's humor for a while now, but this was too good not to post.

Kidding aside, Richard raises a good point that nothing in security is a silver bullet. Not an application, not a WAF, not WebInspect, not security as a service, nothing. Security must be layered, composed of many and varied products and defenses. Anyone who says otherwise is a charlatan.

what you describe sounds like a biological immune system 'cause I figure that if biology can't evolve some magical bullet defense then ....

Layered? As in remove all data, bury it in a deep hole, surround it with concrete, reinfoce that with rebar, surround it with razor wire, stake out dobermans and pit bulls, don't feed the dogs? That kind of layering?:)

Acidus wrote:

That's quite an image, isn't it? It's ISS CEO Tom Noonan holding a silver bullet, announcing the Proventia IPS product in the October 2003 issue of ISS' Connect magazine. Raise your hand if you think IPS or anything else ISS has produced is a silver bullet. No takers?

I don't mention this to criticize ISS, specifically. Rather, I'd like to emphasize the importance of proper frames of reference when considering security.

HAHA! I've enjoyed Richard Bejtlich's humor for a while now, but this was too good not to post.

Kidding aside, Richard raises a good point that nothing in security is a silver bullet. Not an application, not a WAF, not WebInspect, not security as a service, nothing. Security must be layered, composed of many and varied products and defenses. Anyone who says otherwise is a charlatan.