Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Can Obscurity in Security Really Work?

DZone's Guide to

Can Obscurity in Security Really Work?

It's often said that obscurity is not an effective security practice, but can it be combined with other security layers to be truly effective?

· Performance Zone
Free Resource

Evolve your approach to Application Performance Monitoring by adopting five best practices that are outlined and explored in this e-book, brought to you in partnership with BMC.

I came across a cool article from Daniel Miessler called "Obscurity is a Valid Security Layer." I'm not a huge security buff by any means, but I've heard of "security by obscurity," which relies entirely on being secretive about the design of your system to defend against attacks. All it takes to fall apart is one person to spill the beans, and suddenly your application is doomed. 

Generally, security by obscurity is considered to be a terrible practice, but Miessler considers a caveat: with secrecy as a component of application security, it can be a valid barrier against attacks. Makes sense, right? You want your security to be impossible to crack, and you don't want to compromise it. An extra layer of protection, like not publishing details on your system, is a valid way to add more security without relying on it. 

Miessler goes into detail on some technologies, like Single Packet Authorization, that can hide network services behind another layer of protection so that you have an SSH server that cannot be detected by port scanners trying to get through your firewall:

Your firewall listens to the incoming requests and ignores all standard attempts to your system. If, however, you ask in a very specific way, i.e. using the secret knock sequence (PK) or a packet with a special payload (SPA), it’ll open access to the server for your specific source IP ... you still have to authenticate to the daemon behind this layer. You didn’t replace the service’s security with this layer, you simply added it to what already existed. Remember, the NSA most likely has great algorithms, but they still don’t publish them.

He also goes on to test this idea in his article, which you can read here. Obviously this won't be a good solution for everyone, but it's certainly something to remember for future scenarios. Almost everything can be good in moderation. 

Learn tips and best practices for optimizing your capacity management strategy with the Market Guide for Capacity Management, brought to you in partnership with BMC.

Topics:
security

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}