Odi's astoundingly incomplete notes
New entries | CodeMisconceptions about security
Again I am coming across a customer who has severe misconceptions about security. They are:
There is 100% security
That is so wrong, it's not even a good joke anymore. Security and usability always add up to 100%. Something that is 100% secure is totally unusable and will not fulfil any requirements other than security requirements. Want a secure computer? Turn it off.
Security is cheap
No, security is not cheap. Security always adds inconvenience, it always takes extra work, it always causes extra problems, it always makes things more complex, it is always harder to debug.
Hiding something makes it secure
Also known as Security By Obscurity. Just because something is inconvenient to access, doesn't mean it can not be accessed. This category includes: code obfuscation, jump hosts, locally encrypted data(bases) like DRM (key is accessible by the same user), obfuscated passwords.
Security of a client application is of importance
A client can run any code. Whether that is the original application, a modification thereof, a hacked version, a custom implementation or something compeletely different is irrelevant to security. What matters is what you can do over the network protocol. If your protocol is insecure, then security in your client can not help you.
There is 100% security
That is so wrong, it's not even a good joke anymore. Security and usability always add up to 100%. Something that is 100% secure is totally unusable and will not fulfil any requirements other than security requirements. Want a secure computer? Turn it off.
Security is cheap
No, security is not cheap. Security always adds inconvenience, it always takes extra work, it always causes extra problems, it always makes things more complex, it is always harder to debug.
Hiding something makes it secure
Also known as Security By Obscurity. Just because something is inconvenient to access, doesn't mean it can not be accessed. This category includes: code obfuscation, jump hosts, locally encrypted data(bases) like DRM (key is accessible by the same user), obfuscated passwords.
Security of a client application is of importance
A client can run any code. Whether that is the original application, a modification thereof, a hacked version, a custom implementation or something compeletely different is irrelevant to security. What matters is what you can do over the network protocol. If your protocol is insecure, then security in your client can not help you.
Add comment