The sentiment of, "if we fixed issue X, we& #39;d be secure", I think is a sign of what @JohnLaTwC calls list-based thinking.

"We have a list of problems, which progressively rely on each other, so therefore if we break that chain, we& #39;re secure."

a quick thread: https://twitter.com/curi0usJack/status/1384620859302744066">https://twitter.com/curi0usJa...

Seeing an attack path as an attack "chain" can reasonably lead one to believe that breaking one link in that chain kills the entire attack path

But what pentesters and red teamers instinctively know is that while one attack path itself may look like a chain, in reality it& #39;s one path within the context of a map

As a defender, seeing your environment as a map of connected assets very quickly eliminates the "if we do this one particular thing we& #39;ll be safe" mode of thinking. It& #39;s not as comforting, but it& #39;ll help you make much better decisions about what to do about your security posture

For a more eloquent take on what I& #39;m trying to say in this thread, read this blog post by @JohnLaTwC: "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win." https://github.com/JohnLaTwC/Shared/blob/master/Defenders%20think%20in%20lists.%20Attackers%20think%20in%20graphs.%20As%20long%20as%20this%20is%20true%2C%20attackers%20win.md">https://github.com/JohnLaTwC...