This presentation from Alex Stamos, CSO of Yahoo during the AppSec conference is explains why firewalls are not part of their security strategy.
- Firewalls operating at 10G or more are not cost effective. Vertical scaling of performance costs more than the services are worth.
- At 100G, a firewall has less than 6.7 nanoseconds to “add value” before they impact service delivery
- You can’t use firewalls to secure East/West data flows in the network.
- Application Security is the answer to this problem. Security is about secure software engineering and not using external devices to “secure the application because we don’t trust developers to do it right”.
- Containerisation collapses the security perimeter
- Application Security doesn’t have to be real time, its distributed.
- DNSSEC is dead. (key rotation is awful, performance is poor)
- Passwords are unsafe
I believe that many of these points apply to the Enterprise. Especially about East/West dataflows and that is why NSX is getting strong traction bcause it solves the security/segmentation problem by using SDN & Overlays.
In the questions at the end, he points out the bug bounties are a PR Problem. When you pay a bug bounty and fix, the researcher needs to shutup instead of going public about the vulnerability. Of course, the researcher needs the publicity to build a business & credibility. So bug bounties are likely to die.
Warning: There is some profanity in this presentation. This is how real people speak about security, you should not be offended. Security is hard, swearing is normal.
Warning Warning: The video & audio quality isn’t great but the presentation is fantastic. You should watch it.