Security

In economic times such as these it is imperative that architects and leads alike look beyond the glossy software catalog and instead to the web. In the past we often discounted open source as unsupported and hacker-like in the development efforts. One would hope that in this day of enterprise open source powering the majority of web applications that we could back away from the mantra of yesteryear. The argument often heard in corporate America is without a company backing it, how can you trust the source of the code? In the same bated breath they will speak to Microsoft and Oracle as pristine trophy holders of American Ideals. In this global economy and 24×7 development cycle there is very little code still developed stateside only. The pond and time zone allow for rapid development cycles and releases. It is ignorant to think that Microsoft’s code is not spattered with code developed in foreign countries. The bazaar development paradigm has extended well upon the weird GNU hackers in their basements, even Microsoft and other commercial entities have opened the doors to this development process. ...

Information technology and assurance both are commonly seen as negative costs in a budget. Deploying a new or replacement server is seen as “sunk” cost for very little gain. In the same vein implementing costly security packages before an attack seems imprudent. “We haven’t had security issues thus far” is a slogan to be plastered on the side of Silicone Valley. Sticking with legacy platforms and code bases to dodge the upgrade bullet only serve to hit you with cost later down the road. As a good friend of mine Marc states “plan to do it right first or plan on doing it again later.” ...

Here is my quick secure guide for MySQL: Rename root user account mysql -u root -p use mysql; update user set user=”mydbadmin” where user=”root”; flush privileges; Set the root password for database mysqladmin -u mydbadmin password ‘the-new-password’ Drop default test database mysql -u mydbadmin -p drop database test; quit; Edit the MySQL server config vi /etc/my.cnf and under [mysqld] skip-networking <– Disables network access set-variable=local-infile=0 <– prevent against unauthorized reading from local files bind-address=127.0.0.1 restart mysql /etc/init.d/mysqld restart

I always keep my eyes on what modules are undergoing FIPS validation. Here is an email sent to my teams… A shortcoming of open source has always been the lack of validated security modules. Red Hat has recognized this shortcoming and submitted their products and libraries for FIPS validation. As we move to more secure enterprise solutions it will be important to remain aware of these products as to lean on them in our products. Using validated products removes the need to take a hit during C&A or seek waivers. Just a friendly FYI from your IA Architect: ...

I run Windows XP in a virtual machine for those few programs that lack Linux and Mac clients. I booted my FULLY PATCHED, FIREWALLED, and Windows XP Service Pack 3 to find gay sex fetish icons. Oh, gosh, I didn’t even realize I loved me some gay pr0n. When we move to virtualized solutions and slowly get rid of Windows enviroments we often forget that it is still a vulnerable machine. More and more users are booting Windows simply to interface with their corporate enviroments and not following under the security posture they believe to be in. ...