Let's review how the excellent book Stealing the Network is still very relevant
I recently re-read Stealing the Network, How to Own the Box. Written almost 10 years ago I'm impressed as to how it still is super up to date. Describing fictional attacks to websites, networks, and even printers, it proves that no system is safe enough. The book also shows how dangerous it can be not restricting access and patching our systems and devices.Laws of Security
One interesting aspect from the book is the discussion of the Laws of Security. They can summarized as:- Client-side security doesn’t work;
- You cannot securely exchange encryption keys without a shared piece of information;
- Malicious code cannot be 100 percent protected against;
- Any malicious code can be completely morphed to bypass signature detection;
- Firewalls cannot protect you 100 percent from attack
- Any intrusion detection system (IDS) can be evaded;
- Secret cryptographic algorithms are not secure;
- If a key isn’t required, you do not have encryption—you have encoding;
- Passwords cannot be securely stored on the client unless there is another password to protect them;
- In order for a system to begin to be considered secure, it must undergo an independent security audit;
- Security through obscurity does not work
Relevant Info for Developers
I recommend that developers read this book as it provides concrete examples on common threats we face today in our applications:- sql injection
- social engineering
- exploit information
- malware, trojans, viruses and worms
- honeypots
- network reconnaissance
- logging best practices
- disassembly
- tracking
- network problems
Conclusion
Security and technology are moving on a fast pace. But while some attacks get more sophisticated, old techniques are being used over and over again. Developers who are not concerned about how secure their code is should stop and reflect how dangerous that behaviour is for them and for their companies.Security is hard and shouldn't be neglected. The threats are real and happening all the time.
See Also
- My journey to 1 million articles read
- How and why use stronger passwords
- Security and development: how much is being done?
- Security is only as strong as the weakest link
- The Laws of security
- Security and Ethics
- Privacy and Ethics
- Security Boundaries
- Integrated security vulnerability alerts on GitHub - Why it matters