I see this claim all the time, and it bugs me every time. Obfuscation is a perfectly reasonable part of a defense in depth solution. That’s why you configure your error messages on production systems to give very generic error messages instead of the dev-centric messages with stack traces on lower environments, for example.
The problem comes when obscurity is your only defense. It’s not a full remediation on its own, but it has a part in defense in depth.
I see this claim all the time, and it bugs me every time. Obfuscation is a perfectly reasonable part of a defense in depth solution. That’s why you configure your error messages on production systems to give very generic error messages instead of the dev-centric messages with stack traces on lower environments, for example.
The problem comes when obscurity is your only defense. It’s not a full remediation on its own, but it has a part in defense in depth.