Conclusions

Don't Assume an External Technology Will Handle Internal Problems

• A firewall won't save an unpatched server

• IDS doesn't fix bad code

  • Audit code as part of QA!

Don't Neglect Opportunities to Minimize Trust Between Layers

• Internal audit trails

• Checking return codes from calls to external components

• Validating input (properly!)

  • SQL Injection Opportunities

Secure the Application, Not Just Pieces of the Application

• Design defenses that incorporate all components

• Be responsible (at the very least, be knowledgeable!) about problems inherited from components

• Recognize that often, it's not technology that fails us