

Using Resource Obfuscation to Reduce Risk of Mass SQL Injection - lmacvittie
http://devcentral.f5.com/weblogs/macvittie/archive/2009/03/05/using-resource-obfuscation-to-reduce-risk-of-mass-sql-injection.aspx

======
jskopek
I'm amazed SQL injection attacks have the level of prominence, and are as
common as they appear to be, in the field of web security. Anyone with more
then just a cursory understanding of web development should be protecting
their commands.

It seems to me like it might be wise to have a standardized qualifications
test for the web - something that tells employers "this guy won't put security
holes in my program"

~~~
anthonyrubin
I believe this to be part of a larger problem: many developers and
organizations seem unaware of best practices (and when to disregard them) that
have existed for decades.

------
endtime
One of the mantras of an information assurance course I took as an undergrad
was that "security through obscurity is not security." (I think this came
second only to "proprietary encryption is crap.")

The first trick, in particular, seems pretty useless, unless I'm missing
something. The second one is probably slightly more useful, but won't stop a
determined black hat (it doesn't feel right to say 'hacker' on HN, even in
context).

If someone is dedicated to gaining access to your machine, and has the skill
and knowledge to do so, then, in general, a little extra obfuscation will
annoy them but not stop them. The only potential benefit of this kind of
obfuscation that I can see is that it could shut down script kiddies who don't
really know what they're doing. But if you want reliable, provable security,
don't rely on tricks like this.

~~~
jerf
A more nuanced view of security-through-obscurity is that while it is not
sufficient to constitute "security", it _can_ be part of a balanced, competent
approach to security, functioning as one of many layers.

One thing that security-through-obscurity can help with is what is outlined
here; moving off of the common ports and common extensions means you can't be
trivially scanned and attacked. Attacks which shouldn't be successful, but can
still be expensive (if nothing else, a determined web attack also functions as
a DoS, after all).

For my personal host, I use ssh in certificate-only mode, because that's the
most secure mode and SSH is a significant part of my attack surface. That's
security. But I also moved my SSH off of port 22, which is "obscurity", just
so my logs didn't get filled with pointless scanning attacks, which
significantly increases the value of my logs. A determined scanner can still
find my SSH port, but few people are that determined.

------
simonw
You should use mod_rewrite and similar to get rid of your .php / .asp
extensions because you care about the design of your URLs and don't want your
URLs to all break in the future should you move to a different technology -
not because you want to hide from crawlers out looking for SQL injection
targets.

