Should network and application security proceed along separate, independent tracks?
Should software security focus solely on the in-context business issues concerning security, and have network security focus on not allowing the software and infrastructure to be undermined?
This is one of those concepts that has been brewing in the back of my mind for some time how. Different data, different availability, and different contexts provide different value propositions and I am not sure they are effective surrogates for one another. A bunch of Hoff’s posts add fire to this thought, and the whole Kaminsky debate shows the value of competition. We willfully merge network, sever and application security concepts as one and the same, and quite often use one to band-aid the other. It’s not working very well.
If competition makes us stronger, maybe we should just stop cooperating and start pointing the finger of blame at one another. Maybe we need a good turf war to generate security competition between IT & Development groups. The network Hatfields vs. the application McCoys, each working harder to make sure they’re not responsible for the next breach.