[Catalyst] OT: security through obscurity (was: Encrypt/Decrypt
URI)
Matt S Trout
dbix-class at trout.me.uk
Fri May 18 15:28:21 GMT 2007
On Fri, May 18, 2007 at 03:37:27PM +0200, A. Pagaltzis wrote:
> * Chisel Wright <chisel at herlpacker.co.uk> [2007-05-18 13:05]:
> > Security through obscurity isn't security at all.
>
> Just because this is a pet peeve of mine:
>
> Yes it is.
>
> Relying on obscurity as your only defense is foolish, but using
> it as a supplemental layer on top of a defense in depth is
> generally wise.
>
> (In this case, of course, obscurity makes no sense; I am just
> talking about the general case.)
>
> Please quit this “it’s not security at all” cargo cult.
I consider "it's not security at all" to come under "lies told to children".
When confronted with a junior developer thinking it's sufficient as complete
security, it's better to simply tell them never to use it - by the time they
understand the situation well enough -to- use it, they understand well
enough to know that this is an "acceptable generalisation" rather than a
cargo cult.
--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director Want a managed development or deployment platform?
Shadowcat Systems Ltd. Contact mst (at) shadowcatsystems.co.uk for a quote
http://chainsawblues.vox.com/ http://www.shadowcatsystems.co.uk/
More information about the Catalyst
mailing list