DZone
Performance Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Performance Zone > Can Obscurity in Security Really Work?

Can Obscurity in Security Really Work?

It's often said that obscurity is not an effective security practice, but can it be combined with other security layers to be truly effective?

Matt Werner user avatar by
Matt Werner
·
Jun. 10, 16 · Performance Zone · Opinion
Like (3)
Save
Tweet
3.02K Views

Join the DZone community and get the full member experience.

Join For Free

I came across a cool article from Daniel Miessler called "Obscurity is a Valid Security Layer." I'm not a huge security buff by any means, but I've heard of "security by obscurity," which relies entirely on being secretive about the design of your system to defend against attacks. All it takes to fall apart is one person to spill the beans, and suddenly your application is doomed. 

Generally, security by obscurity is considered to be a terrible practice, but Miessler considers a caveat: with secrecy as a component of application security, it can be a valid barrier against attacks. Makes sense, right? You want your security to be impossible to crack, and you don't want to compromise it. An extra layer of protection, like not publishing details on your system, is a valid way to add more security without relying on it. 

Miessler goes into detail on some technologies, like Single Packet Authorization, that can hide network services behind another layer of protection so that you have an SSH server that cannot be detected by port scanners trying to get through your firewall:

Your firewall listens to the incoming requests and ignores all standard attempts to your system. If, however, you ask in a very specific way, i.e. using the secret knock sequence (PK) or a packet with a special payload (SPA), it’ll open access to the server for your specific source IP ... you still have to authenticate to the daemon behind this layer. You didn’t replace the service’s security with this layer, you simply added it to what already existed. Remember, the NSA most likely has great algorithms, but they still don’t publish them.

He also goes on to test this idea in his article, which you can read here. Obviously this won't be a good solution for everyone, but it's certainly something to remember for future scenarios. Almost everything can be good in moderation. 

security

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Challenges to Designing Data Pipelines at Scale
  • An Overview of Key Components of a Data Pipeline
  • What Is Cloud-Native Architecture?
  • 11 Best Practices to Do Functional Testing on the Cloud

Comments

Performance Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo