lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Dec 6 15:56:06 2005 From: daniels at Ponderosatel.com (Daniel Sichel) Subject: Commercial pressure as a threat to security >Content-Type: text/plain > >Commercial pressures are just as harmful to security as are complexity and ignorance. > >Regards, > >Jason Coombs >jasonc@...ence.org That is a profound insite (at least for me). It crystalizes what I have experienced for many years and am about to again. My company is about to add a web server for customers to use to pay bills and order service. When I was told this, I immediately requested permission to use OpenBSD and Apache. I was told that I have to use IIS because the people programing the app on the site only know .net. I am very concerned about their expertise and respect for security. I would bet a stale donut against the equity in my house (I live in Ca. so don't laugh) that there will be exploitable chunks of code. Add to that the inherent risk of IIS and I am very afraid. However, we WILL deploy this, and soon. No matter that I am no IIS expert (I'm a Cisco guy, thank G-d) and our other admin is 22 years old. At least I may be able to get an OK to have somebody (hopefully competent) test it, but does that tell me what to look for in logs? No. Or how to monitor this hideous cukoos' egg? No. Seems like a recipe for trouble, but this is typical. Well acually not, usually people in my position don't have the money for a security consultant, so they are even more naked than I am going to be. Anyhow, Jason summed this up elegantly and succinctly. Is anybody addressing this problem with cheap software a small business can afford, even to test just the basics? Dan S.
Powered by blists - more mailing lists