Good morning/afternoon/evening everybody.
Lori MacVittie over at DevCentral, who you should all read, wrote Which security strategy takes more time: configuration or coding? recently. It’s a good article with some very valid points, but it made me think of something else we need to be aware of when we make “time trade-off” choices.
I agree that WAFs, ACLs, black holing traffic, etc. are all good and
effective methods of mitigating risk and protecting against known
threats and in some case unknown threats. For example, how often have you whipped up a solution to a problem and slapped it into place? You know it is not an appropriate long term solution, but you say to yourself, “I’ll come back and do that better when I have time.”
Fast forward 3 years and your quick fix is still in production causing all sorts of grief because it was never intended to be a long term solution and/or nobody knows what this things is doing and they remove it, again, causing all kinds of grief.
Maybe I’m stating the obvious, but we need to make sure we have effective policies and procedures in place to ensure that we are addressing things in an appropriate manner, independent of the “this is quicker” mentality. Again, I am not saying that quicker shouldn’t be used. It has it’s place and often is the best short term choice. I just want to remind everybody that we need to keep that long term horizon in sight also.
Agree, disagree, think I’m looney? Leave me a note in the comments with your thoughts.
Image courtsey of jakeliefer