Commercial pressure as a threat to security

["Daniel Sichel" <daniels () Ponderosatel com>]

> Content-Type: text/plain
>
> Commercial pressures are just as harmful to security as are complexity
and ignorance.
> Regards,
>
> Jason Coombs
> jasonc () science org

That is a profound insite (at least for me). It crystalizes what I have
experienced for many years and am about to again. My company is about to
add a web server for customers to use to pay bills and order service.
When I was told this, I immediately requested permission to use OpenBSD
and Apache. I was told that I have to use IIS because the people
programing the app on the site only know .net. I am very concerned about
their expertise and respect for security. I would bet a stale donut
against the equity in my house (I live in Ca. so don't laugh) that there
will be exploitable chunks of code. Add to that the inherent risk of IIS
and I am very afraid. However, we WILL deploy this, and soon. No matter
that I am no IIS expert (I'm a Cisco guy, thank G-d) and our other admin
is 22 years old. At least I may be able to get an OK to have somebody
(hopefully competent) test it, but does that tell me what to look for in
logs? No. Or how to monitor this hideous cukoos' egg? No. Seems like a
recipe for trouble, but this is typical. Well acually not, usually
people in my position don't have the money for a security consultant, so
they are even more naked than I am going to be.

Anyhow, Jason summed this up elegantly and succinctly. Is anybody
addressing this problem with cheap software a small business can afford,
even to test just the basics?


Dan S. 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/