http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660It's actually fairly normal to "assume" that your webserver will be compromised. Not that you actually expect it to happen to you - but that between OS and webserver vulnerabilites, Google's indexing (to find those vulnerable servers), and open access, it's a very real possibility. http://ayende.com/2960/a-false-sense-of-security#comment6http://ayende.com/2960/a-false-sense-of-security#comment6Fri, 23 Nov 2007 20:37:13 GMTJust on a side note, I'm loving the pictures you've been posting lately Oren! http://ayende.com/2960/a-false-sense-of-security#comment5http://ayende.com/2960/a-false-sense-of-security#comment5Mon, 19 Nov 2007 01:58:29 GMTYou can raise the skills bar on the hacker multiple notches by storing your connection string encrypted in the database or relying on certificates, etc, etc. Then he has to be able to break into the OS, AND write code to read the connection string (or get into the certificate store, etc). http://ayende.com/2960/a-false-sense-of-security#comment4http://ayende.com/2960/a-false-sense-of-security#comment4Mon, 19 Nov 2007 00:21:20 GMT@Sean Chambers even this is not enough because someone can catch all the signal transmitted from your electronic devices, such as monitor, or lcds. There are some kind of isolators or isolating paints to minimize the distance that those signals can go http://ayende.com/2960/a-false-sense-of-security#comment3http://ayende.com/2960/a-false-sense-of-security#comment3Sun, 18 Nov 2007 22:15:08 GMTgood posting. i definately agree with your last paragraph saying that proper security takes cooperation from all aspects. If you want a 100% completely secure, unhackable machine...unplug the network cable from the ethernet card. http://ayende.com/2960/a-false-sense-of-security#comment2http://ayende.com/2960/a-false-sense-of-security#comment2Sun, 18 Nov 2007 19:24:21 GMT"In the end, there really isn't a one good way to secure an application, this requires cooperation from developers, IT, networking, etc. If there was, everyone was using it. And while I do believe in defense in depth, I also believe that once the king is taken, the game is over. Starting with the premise that the attacker has gained an admin control over one of your machine is not a start that you want to be in." that's the bottom line, security is an illusion, all you can do is raise the bar http://ayende.com/2960/a-false-sense-of-security#comment1http://ayende.com/2960/a-false-sense-of-security#comment1Sun, 18 Nov 2007 19:22:08 GMT