I came from a sysadmin background before I started development, so that probably has something to do with my perspective. Security is about layers. Every layer you put between you and attacker helps mitigate the chances that you'll be compromised. That's why I've always run firewalls.
Another thing to keep in mind is that when you rely on application defaults and application layer security, you're opening yourself to vulnerabilities in each of those applications. Yes, a good sysadmin restricts MySQL passwords to something very secure, but what if a vulnerability in MySQL results in password disclosure? What if networking ends up enabled because of a package update or a boneheaded move by someone else working on the server? If you have a firewall blocking connections from everywhere but known hosts, you have far less of a problem than if you left MySQL open. These are all just hypotheticals, obviously. This is why the policy of default deny is the best policy when it comes to network security. -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
