lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue Dec  6 15:56:06 2005
From: daniels at Ponderosatel.com (Daniel Sichel)
Subject: Commercial pressure as a threat to security

 
>Content-Type: text/plain
>
>Commercial pressures are just as harmful to security as are complexity
and ignorance.
>
>Regards,
>
>Jason Coombs
>jasonc@...ence.org

That is a profound insite (at least for me). It crystalizes what I have
experienced for many years and am about to again. My company is about to
add a web server for customers to use to pay bills and order service.
When I was told this, I immediately requested permission to use OpenBSD
and Apache. I was told that I have to use IIS because the people
programing the app on the site only know .net. I am very concerned about
their expertise and respect for security. I would bet a stale donut
against the equity in my house (I live in Ca. so don't laugh) that there
will be exploitable chunks of code. Add to that the inherent risk of IIS
and I am very afraid. However, we WILL deploy this, and soon. No matter
that I am no IIS expert (I'm a Cisco guy, thank G-d) and our other admin
is 22 years old. At least I may be able to get an OK to have somebody
(hopefully competent) test it, but does that tell me what to look for in
logs? No. Or how to monitor this hideous cukoos' egg? No. Seems like a
recipe for trouble, but this is typical. Well acually not, usually
people in my position don't have the money for a security consultant, so
they are even more naked than I am going to be.

Anyhow, Jason summed this up elegantly and succinctly. Is anybody
addressing this problem with cheap software a small business can afford,
even to test just the basics?


Dan S.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ