[E-Lang] defense in depth

David Wagner daw@mozart.cs.berkeley.edu
25 Jan 2001 08:32:07 GMT


Marc Stiegler wrote:
>> You seem to suggest that we have a decision to make between defense in
>> depth with imperfect defenses or a single but perfect line of defense.
>> But that's not the choice we are given today.  If you start from the
>> premise that all of our defenses are imperfect---and this seems to be
>> hard to dispute---then it seems that adding multiple redundant lines of
>> defense can't hurt and can only help.
>
>But, as pointed out by others on the list at greater length, it can indeed
>hurt, because the defenders get confused about what part of what wall was
>trying to defend what thing.

Yup, you are right to challenge me on this point.
I was wrong to say that defense in depth "can't hurt and can only help".
Both of those are not always true.

I guess a more accurate would be to say that there is usually
a tradeoff between the benefits and costs of defense in depth,
and my experience is that in today's systems it is not at all
uncommon to find scenarios where the costs of defense in depth
are well worth it.

Do I understand you to be saying that defense in depth is almost
never worth it?  (except for special exceptions like UI's)