Security in depth is like cheese…


While two of my team can attend the PDC (jalousie… ) I have to work here back in Germany.

Tomorrow I will be doing a presentation on developer security during an event we are doing together with SAP here in Germany.

Thinking about my talk I was remembering something I heard (or read) years ago.

Building airplanes security is quite an important factor. What this industry soon realised is that total security is something that will never be achieved. But total security is the still the final goal to work for.

One idea they had was that each security technology will prevent some bad things to happen while it might not prevent others. A model for that is to have the plane on the one side and the accident on the other side. The job is now to prevent the plane from reaching the accident side. All we have to do that are slices of cheese (the normal one with holes in it ;-). What we can do is stacking slices and the goal is that each hole in each slice is covered by another slice. So there is no direct way through our stack of cheese slices …

The cheese is a symbol for technologies. If we accept that each technology will cover some possible ways to destruction other might be left open. The art is to stack technologies in that way that they support each other that way to cover the whole thing. So defence in depth only makes sense if the technologies used support each other in that way.


