The companion post, I Went To SQL Injection Court, goes into detail about the court process and witness testimony. One of the interesting things is just how different computer people think about security vs lawyers. Somebody might say that having a schema would help a malicious actor a small amount, and a lawyer will jump on that to deny the request. The idea that the schema would help a malicious actor is the same as a map helping a bank robber. The vault security and security guards are the relevant factors for this, not the map.
I’ll keep this in mind the next time I’m an expert witness in a computer case (based on this, I hope I’m not.)
Security is not obscurity, and while obscurity can slow down a bad actor, it is not security and is not reliable
Transparency can lead to security through outside audit, the more eyes on it the more will security holes will be noticed
It’s crazy how this simple thing I was taught on day 1 of my job just can’t be properly understood by people. Not even just non -technical people - across the board we have constant leaks, in part because we don’t collaborate to build together nearly enough
I would say it helps more than zero but if you redact or rename tables and columns it becomes next to useless for attack planning.
