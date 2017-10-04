Ask Slashdot: Share Your Security Review Tales 54
New submitter TreZ writes: If you write software, you are most likely subject to a "security review" at some point. A large portion of this is common sense like don't put plain text credentials into github, don't write your own encryption algorithms, etc. Once you get past that there is a "subjective" nature to these reviews.
What is the worst "you can't do" or "you must do" that you've been subjected to in a security review? A fictitious example would be: you must authenticate all clients with a client certificate, plus basic auth, plus MFA token. Tell your story here, omitting incriminating details.
There's nothing more uncommon about common sense.
Apparently, acceptable grammar is quite rare as well.
You are telling me that the staff member who was running the meeting or the senior staff member in the room didn't intervene as soon as he started acting unprofessionally?
Being anti-RUST or whatever I can see. Being closed-minded to the point of being useless as a consultant I can see. But an invited outsider who gets unprofessional in a meeting should be reminded to be professional and/or removed before things get out of hand.
Fooled ya! (Score:3)
If you write software, you are most likely subject to a "security review" at some point
Wrong! My code has never been subjected to any such stupid security review.
Disclaimer: Opinions expressed here are mine, not my employer Equifax.
Disclaimer to disclaimer: Nah! I'm not really working for Equifax
We all know you're not working at Equifax. But do they pay well?
We all know you're not working at Equifax. But do they pay well?
No, but my credit report looks fantastic! Now...
Nice one! What musical instrument do you play?
Disclaimer to disclaimer to disclaimer: Not anymore.
Anything the client won't pay for (Score:2)
Anything the client didn't pay for. (Threats to suspend a very large support payment count as payment, however.) Likewise, whenever a customer wanted to pay extra for an MFA, SSO or other integration, we were all ears.
Or were you looking for whining?
Buffer Overruns (Score:1)
Working for a semi-well known mesh networking company in Seattle, I was hired for DevOps because, despite 20+ years experience with C/C++, the gasseous CTO didn't believe I was qualified to do development. About a month into the job, I got called into a code review for one of the senior developers, and I quickly caught several buffer overruns on the "rookie mistake" level with strncpy overflowing the allocated space.
Gotta wonder how many of those Mr. Senior Developer committed to the code base.
You were hired for a lower paying position because they felt you weren't qualified enough for the position you applied and then had you doing it anyway for less pay because your title was still something else.
This is standard practice.
FBI subpoena (Score:4, Funny)
I was a high-ranking official in the state department. The FBI sent me a subpoena for my private email server because I used it to discuss classified government business, so I had my IT guy wipe my private email server before I handed it over to the FBI. Later he was discovered on Reddit and confessed to the FBI, but I made sure they couldn't trace the decision back to me.
I bet you would have gotten away with it too, if it wasn't for those meddling kids.
You MUST have anti-virus with current signatures! (Score:3)
This happened to a customer of us: They were told by an auditor that they absolute must have anti-virus on all machines, as per policy. Hence they built a tunnel into a completely isolated environment with absolutely no malware-vectors in order to be able to get updated AV signatures to the AV they installed on these machines. The really bad thing was that they did not seem to understand when we explained to them that they now did not have an isolated environment anymore and that the AV vendor as well as anybody successfully attacking the AV vendor could now attack them and export data at their leisure. What they should have done is to get an exception.
I'm not sure there is such a thing as a completely isolated environment anymore. There are too many air-gap bridging attacks. (See also Stuxnet).
Now, those attacks require far more work than the anti-virus vector. And it's not likely to be used. But it should be expected that something valuable enough (to a nation state) will be breached.
I'm not sure there is such a thing as a completely isolated environment anymore. There are too many air-gap bridging attacks. (See also Stuxnet).
In practical terms, an isolated environment is one where the only way anything gets into the system is by a human being manually entering it, and the only way anything gets out by what a human being carries away with him either in his head or in his pocket/breifcase/other.
I would count a system that has a keyboard or mouse for input, a video screen, printer, and maybe a "write only" media-writing tool (see below) that is in a room where electronic- or even look-at-the-screen-through-the-window eavesdropping
Chris, there is a typo in your fake user name. It should be IAteFatCashews because you sure ate a lot of them when we gave some to you. Too bad you can't afford them by yourself.
1) I'm not Chris. 2) No typo in name and all names are fake. 3) Fuck off, bitch.
That's actually really cool.
you mean, no way for users to break the machine???
Must be a sysadmin's wet dream!
We get a keyboard, mouse, and monitor.
BWUHAHAHAHA says the disgruntled soon-to-be-ex-employee who happens to have a photographic memory.
Make sure 4096 bits is 4096 bits (Score:1)
I worked for a startup as a contractor, and they were readying a security product to hit the market. It used public and private keys. Instead of generating and using a 4096 bit key (for securing files), it used sixty-four, 64-bit RSA keys. The reason for this is that the CEO wanted the ability to decode stuff in case a customer locked themselves out.
How did that CEO die, and was it horribly?
Worst and Best (Score:2)
I use to work for a company, about a year ago, where no one had even the most basic concept of data security. During my time there I implemented MFA on all Servers, programmed in Data Encryption, Data Validation, Client Verification, DB Security and other such improvements. Well, I was showing the three other existing employees how the software worked and how the new infrastructure worked, they didn't like that it was now "hard" to log into the servers and that they would now have to use password a
I use to work for a company, about a year ago, where no one had even the most basic concept of data security. During my time there I implemented MFA on all Servers, programmed in Data Encryption, Data Validation, Client Verification, DB Security and other such improvements. Well, I was showing the three other existing employees how the software worked and how the new infrastructure worked, they didn't like that it was now "hard" to log into the servers and that they would now have to use password a
Funny incident, not really security review (Score:3)
Some nosyparker busybody customer did a "strings" on our product and found the string and ratted out to our CTO. Nothing serious happened, just a slap on the wrist. But another colleague told me the same customer found the full "man from nantucket" in his test strings for the stringutil library he wrote. And another said that customer also found the "Fuck! Got null pointer again!" in his code.
We think he was looking for some kind of debug switches and env settings that will disable license check.
Nasty incident at an automation software hut (Score:1)