Did Scott Hanselman have too much cough syrup on show #135?

views:

519

answers:

+4 Q:

Did Scott Hanselman have too much cough syrup on show #135?

So this question will get technical – eventually – but first check out Hanselminutes with Atwood (et. al.) where Scott basically invites developers to try to hack this site. It’s a hoot. I first thought (out loud of course, because with headphones on you get the best stares from people as you think out loud) “he either just got off a plane without meal service from Hong Kong or was ticketed for driving a Bobcat after too much cough syrup.”

So the question is, if a site like this can survive on one box, does it need multiple firewalls, a DMZ, and an anal ex-banker with a big stick? In other words, do we chase after the grail of security architectures just because THEY tell us to?

Disclaimer: I love Scott Hanselman and am a big fan of his another layer of abstraction theory.

Well, it's not as though this site hasn't been cracked. So yes, it's probably worthwhile to chase better security.

Craig Stuntz 2008-11-21 04:10:27

However, multiple firewalls, a DMZ, etc. would not have protected one from the XSS hack mentioned in the Coding Horror blog post.

Ken H 2008-11-21 15:43:50

The other, non-security related problem with running the site on one big box is the lack of redundancy. There are any number of single points of failure, both in the single server and that everything is in one data center.

I'll assume that the service provider has hot spares ready to swap in for their customers, and multiple internet connections, but still...

It is possible that Scott Hanselman will also chime in, as he also uses the site.

DGentry 2008-11-21 05:05:04

+4 A:

I really enjoyed the podcast, and found it refreshing to hear someone of Jeff's reputation sharing the same business/cost driven reality that so many of us face. I often find books/podcasts/presentations a little Utopian.

Making it work is still the primary goal. Beautiful code, perfect abstraction, NSA level security - those are all lofty goals too, but too much focus on those things can drive a project into premature bankruptcy.

aSkywalker 2008-11-21 05:34:19

I'm with you on this. For example: Sure shutting down RDP will remove an 'attack vector' but what RDP vulnerability exists? And the ability to remote into the box is needed.

Ken H 2008-11-21 15:46:13

+3 A:

Ya, I agree that my paranoia probably got the best of me. I think it's MORE useful to complain about Jeff's lack of a separate dev and staging machine...not sure I have the stomach to push directly out to production. ;)

Seriously, though, forgetting about the hardware aspects of things, I should have talked more about threat modeling. It seems like Jeff's got a pretty good handle on that, however, and is plugging holes as fast as they are found.

Scott Hanselman 2008-11-21 18:33:16

Security has been like documentation. It's the part of the project that we fit in at the end. Running the Dev site on the NET is a hoot. How many times have you done a google search for something a site running something it shouldn't (exposed to the NET and they may not even know). Always fun.

Ken H 2008-12-03 15:53:18

ansaurus

tags:

views:

answers:

Did Scott Hanselman have too much cough syrup on show #135?

related questions