[Info-vax] MYSQL error WWW.OPENVMS.ORG

Arne Vajhøj arne at vajhoej.dk
Mon Apr 15 19:24:36 EDT 2019 

On 4/15/2019 12:54 AM, Dave Froble wrote:
> I've had discussions here before about what I call services, and others 
> call "not standard".  (Hi Jan-Erik)  Well I'm rather happy to use 
> "non-standard" protocols when bringing in data.  My services know 
> exactly what they want, and if a communication is not exactly what's 
> required, PLONK, disconnected.  Then there is the vetting of the data, 
> not a valid customer, PLONK, disconnected.  And many other checks.  At 
> no time does a service attempt to use anything other than the expected 
> protocol and data.
> 
> The problem with using some "standard", such as Apache, is that as soon 
> as there is a web server exploit, you're toast.

What you try to do is no different from what the standard solutions try.

Input validation, authentication check is not something unique for
bespoke protocols.

But sometimes the programmers of standard solutions misses something.

Guess what - you could also miss something.

Realistically it seems very unlikely that your write more safe
code than the standard solutions that typical are inspected
by hundreds of top developers across the world.

Which leaves the fact that nobody knows your protocol while
the standard solutions are common knowledge.

That phenomenon also known as "security by obscurity" is pretty
effective at keeping the least competent hackers also known
as "script kiddies" away, but is not very good at keeping
the more serious hackers away.

>                                                 There is something that 
> will get the web server to do something you do not want, and there isn't 
> much you can do about it.

Patch fast.

> If one wishes to run a standard web server, place your data and anything 
> important elsewhere.  It's only prudent.  Then make sure anything that 
> can reach the data is as secure as you can make it.

That is pretty standard.

--firewall--proxy--firewall--app--firewall--database

but it is no silver bullet as the valid traffic can get from
one system to the next and it may be difficult to detect
that some traffic is not valid.

But there are also tools for that IDS/IPS, SIEM etc..

Arne

More information about the Info-vax mailing list