Re: Network Traffic Violations

[Antonomasia <ant () notatla demon co uk>]

Jim Wamsley 303-673-8163 <wamsljr () coltano stortek com>:

> I think I have had it with some companies that are selling web based services
> that require you to use their home-brew package that fails to take into
> account the way most of us, or at least many of us are controlling our
> Internet access.

This is why you want your security department and purchasing department
to speak to each other.

Draw up a 'standards for bought software' document and make it available
to vendors on request.  Likely entries in this doc for common software,
i.e. no specific security purpose, might be:

  - no preexisting files on the box are changed by installation or operation
         Program-specific config options belong in specific files
         (eg ~/.prognamerc) and not the environment, so install scripts are
         not tempted to mess with shell initialisation files.
  - installation does not require root to run sourceless binaries
  - any suids are not root but a single-purpose account
  - it works when mounted ro
  - it does not require weak or absent passwords, 'xhosts +' or similar

Have purchasing insist that they will only buy software they are told
matches your current policy, and that you can have your money back if the
vendor is found to have lied.  (If your internal customers lie they will
be the ones who spent the money and end up without a working product,
which might be considered a fitting punishment by itself.)

With the cooperation some vendors will provide your transition to
free software is accelerated, so you win either way.


--
##############################################################
# Antonomasia   ant () notatla demon co uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################