[E-Lang] defense in depth

Jonathan S. Shapiro shap@cs.jhu.edu
Thu, 25 Jan 2001 08:37:49 -0500


David Wagner wrote:
> Do I understand you to be saying that defense in depth is almost
> never worth it?  (except for special exceptions like UI's)

Whether he says it or not, it's untrue. :-)

Defense in depth has clear applications. I think the essence of the
point that people here are trying to make is that capabilities make it
possible to structure applications in fundamentally better ways. Having
done so, most of the currently applied types of defense in depth become
irrelevant.

To put that another way: most of the methods for defense in depth that
are deployed today exist to patch around fundamental failings in our
ability to structure programs correctly.

Defense against/recovery from user error clearly does not fall in this
category. MLS enforcement clearly does not fall in this category. Stack
introspection, to my mind, *appears* to fall in this category, but I do
not completely understand stack introspection, so take that with a grain
of salt.


Jonathan