LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Blogs > suprstar
User Name
Password

Notices

Rate this Entry

independent network/app auditors...

Posted 08-10-2010 at 08:34 AM by suprstar

//start rant

LOL yeah ok, so some kid fresh out of college who "knows everything there is to know" about network and program security is gonna come in here and tell us what's wrong with our stuff..... I spend hours producing screen shots of programs, statistics on activity, most of which prove absolutely nothing.

First the application
============================================================
Their big investigation focuses on a front end for PeopleSoft, that allows employees to enter and approve time about 20 times faster than the clunky native PeopleSoft interface - it saves thousands of man-hours every year. Since it's payroll / money related, it makes sense to audit it. Fine..

Among their list of concerns, some are valid: We're a little lax on documentation. You got me there.... Passwords are case insensitive, don't expire, and intentionally weak. That's cuz I don't want my staff resetting passwords all day long. Just because concerns are 'valid' doesn't mean we're gonna change it..

Then some of their concerns are kinda 'WTF??' - My programmers have raw database access and can run arbitrary SQL. My programmers can migrate code into a production environment. Uhhh, yeah, that's their JOB!


Then there's the network stuff
============================================================
Yes we run an ftp site. No we will not take it down. Our clients to not want to use sftp, deal with it. We have sendmail, ssh, and http services exposed to the open internet. We need to! Yes we run IDS's and honeypots. No, we will NOT take our security down to let you scan our network! Yes, I actually have an email requesting I do that. It is printed and hung up on my cube wall In the end, all activity is logged from here to sunday, and I have a team of programmers who love to mine logs and bust would-be hackers on the outside, and naughty employees on the inside.

So, yes auditors, real-world networks and job practices do not always line up with the textbook best-practices you learned in Network Security 201. The best network security in the world is the 1-inch air gap, so maybe we should all just unplug the ethernet cables from our servers' NIC's and everything would be great, right?

//end rant
Posted in Uncategorized
Views 363 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 07:28 PM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration