Can Obscurity in Security Really Work?

I came across a cool article from Daniel Miessler called "Obscurity is a Valid Security Layer." I'm not a huge security buff by any means, but I've heard of "security by obscurity," which relies entirely on being secretive about the design of your system to defend against attacks. All it takes to fall apart is one person to spill the beans, and suddenly your application is doomed. 

Generally, security by obscurity is considered to be a terrible practice, but Miessler considers a caveat: with secrecy as a component of application security, it can be a valid barrier against attacks. Makes sense, right? You want your security to be impossible to crack, and you don't want to compromise it. An extra layer of protection, like not publishing details on your system, is a valid way to add more security without relying on it. 

Miessler goes into detail on some technologies, like Single Packet Authorization, that can hide network services behind another layer of protection so that you have an SSH server that cannot be detected by port scanners trying to get through your firewall:

Your firewall listens to the incoming requests and ignores all standard attempts to your system. If, however, you ask in a very specific way, i.e. using the secret knock sequence (PK) or a packet with a special payload (SPA), it’ll open access to the server for your specific source IP ... you still have to authenticate to the daemon behind this layer. You didn’t replace the service’s security with this layer, you simply added it to what already existed. Remember, the NSA most likely has great algorithms, but they still don’t publish them.

He also goes on to test this idea in his article, which you can read here. Obviously this won't be a good solution for everyone, but it's certainly something to remember for future scenarios. Almost everything can be good in moderation.