independent network/app auditors...
Posted 08-10-2010 at 08:34 AM by suprstar
//start rant
LOL yeah ok, so some kid fresh out of college who "knows everything there is to know" about network and program security is gonna come in here and tell us what's wrong with our stuff..... I spend hours producing screen shots of programs, statistics on activity, most of which prove absolutely nothing.
First the application
============================================================
Their big investigation focuses on a front end for PeopleSoft, that allows employees to enter and approve time about 20 times faster than the clunky native PeopleSoft interface - it saves thousands of man-hours every year. Since it's payroll / money related, it makes sense to audit it. Fine..
Among their list of concerns, some are valid: We're a little lax on documentation. You got me there.... Passwords are case insensitive, don't expire, and intentionally weak. That's cuz I don't want my staff resetting passwords all day long. Just because concerns are 'valid' doesn't mean we're gonna change it..
Then some of their concerns are kinda 'WTF??' - My programmers have raw database access and can run arbitrary SQL. My programmers can migrate code into a production environment. Uhhh, yeah, that's their JOB!
Then there's the network stuff
============================================================
Yes we run an ftp site. No we will not take it down. Our clients to not want to use sftp, deal with it. We have sendmail, ssh, and http services exposed to the open internet. We need to! Yes we run IDS's and honeypots. No, we will NOT take our security down to let you scan our network! Yes, I actually have an email requesting I do that. It is printed and hung up on my cube wall
In the end, all activity is logged from here to sunday, and I have a team of programmers who love to mine logs and bust would-be hackers on the outside, and naughty employees on the inside.
So, yes auditors, real-world networks and job practices do not always line up with the textbook best-practices you learned in Network Security 201. The best network security in the world is the 1-inch air gap, so maybe we should all just unplug the ethernet cables from our servers' NIC's and everything would be great, right?
//end rant
LOL yeah ok, so some kid fresh out of college who "knows everything there is to know" about network and program security is gonna come in here and tell us what's wrong with our stuff..... I spend hours producing screen shots of programs, statistics on activity, most of which prove absolutely nothing.
First the application
============================================================
Their big investigation focuses on a front end for PeopleSoft, that allows employees to enter and approve time about 20 times faster than the clunky native PeopleSoft interface - it saves thousands of man-hours every year. Since it's payroll / money related, it makes sense to audit it. Fine..
Among their list of concerns, some are valid: We're a little lax on documentation. You got me there.... Passwords are case insensitive, don't expire, and intentionally weak. That's cuz I don't want my staff resetting passwords all day long. Just because concerns are 'valid' doesn't mean we're gonna change it..
Then some of their concerns are kinda 'WTF??' - My programmers have raw database access and can run arbitrary SQL. My programmers can migrate code into a production environment. Uhhh, yeah, that's their JOB!
Then there's the network stuff
============================================================
Yes we run an ftp site. No we will not take it down. Our clients to not want to use sftp, deal with it. We have sendmail, ssh, and http services exposed to the open internet. We need to! Yes we run IDS's and honeypots. No, we will NOT take our security down to let you scan our network! Yes, I actually have an email requesting I do that. It is printed and hung up on my cube wall
In the end, all activity is logged from here to sunday, and I have a team of programmers who love to mine logs and bust would-be hackers on the outside, and naughty employees on the inside.So, yes auditors, real-world networks and job practices do not always line up with the textbook best-practices you learned in Network Security 201. The best network security in the world is the 1-inch air gap, so maybe we should all just unplug the ethernet cables from our servers' NIC's and everything would be great, right?
//end rant
Total Comments 0
