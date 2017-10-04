Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Ask Slashdot: Share Your Security Review Tales

Posted by msmash from the let's-get-going dept.
New submitter TreZ writes: If you write software, you are most likely subject to a "security review" at some point. A large portion of this is common sense like don't put plain text credentials into github, don't write your own encryption algorithms, etc. Once you get past that there is a "subjective" nature to these reviews.

What is the worst "you can't do" or "you must do" that you've been subjected to in a security review? A fictitious example would be: you must authenticate all clients with a client certificate, plus basic auth, plus MFA token. Tell your story here, omitting incriminating details.

  • Fooled ya! (Score:3)

    by 140Mandak262Jamuna ( 970587 ) on Wednesday October 04, 2017 @02:43PM (#55310151) Journal

    Wrong! My code has never been subjected to any such stupid security review.

    Disclaimer: Opinions expressed here are mine, not my employer Equifax.

    Disclaimer to disclaimer: Nah! I'm not really working for Equifax

  • >> What is the worst "you can't do" or "you must do" that you've been subjected to in a security review?

    Anything the client didn't pay for. (Threats to suspend a very large support payment count as payment, however.) Likewise, whenever a customer wanted to pay extra for an MFA, SSO or other integration, we were all ears.

    Or were you looking for whining?

  • Working for a semi-well known mesh networking company in Seattle, I was hired for DevOps because, despite 20+ years experience with C/C++, the gasseous CTO didn't believe I was qualified to do development. About a month into the job, I got called into a code review for one of the senior developers, and I quickly caught several buffer overruns on the "rookie mistake" level with strncpy overflowing the allocated space.

    Gotta wonder how many of those Mr. Senior Developer committed to the code base.

    • You were hired for a lower paying position because they felt you weren't qualified enough for the position you applied and then had you doing it anyway for less pay because your title was still something else.

      This is standard practice.

    • Man, I had the exact same experience nearly. I was a n00b C coder in an embedded shop. I thought "These guys are veteran coders who can put me up on some real design patterns." Turned out that was mostly right, I met some badass C++ and TCL coders (the TCL guy was hyper-smart, he wrote a huge part of the ATC code still out there in a lot of airports). However, the place had two bosses (Bob) and one of them was a self-proclaimed "20-year veteran". He really had been coding in C for most of that time, but MY

  • FBI subpoena (Score:4, Funny)

    by ahziem ( 661857 ) on Wednesday October 04, 2017 @03:00PM (#55310247) Homepage
    I was a high-ranking official in the state department. The FBI sent me a subpoena for my private email server because I used it to discuss classified government business, so I had my IT guy wipe my private email server before I handed it over to the FBI. Later he was discovered on Reddit and confessed to the FBI, but I made sure they couldn't trace the decision back to me.

    • I was a high-ranking official in the state department. The FBI sent me a subpoena for my private email server because I used it to discuss classified government business, so I had my IT guy wipe my private email server before I handed it over to the FBI. Later he was discovered on Reddit and confessed to the FBI, but I made sure they couldn't trace the decision back to me.

      I bet you would have gotten away with it too, if it wasn't for those meddling kids.

  • You MUST have anti-virus with current signatures! (Score:3)

    by gweihir ( 88907 ) on Wednesday October 04, 2017 @03:03PM (#55310279)

    This happened to a customer of us: They were told by an auditor that they absolute must have anti-virus on all machines, as per policy. Hence they built a tunnel into a completely isolated environment with absolutely no malware-vectors in order to be able to get updated AV signatures to the AV they installed on these machines. The really bad thing was that they did not seem to understand when we explained to them that they now did not have an isolated environment anymore and that the AV vendor as well as anybody successfully attacking the AV vendor could now attack them and export data at their leisure. What they should have done is to get an exception.

    • I'm not sure there is such a thing as a completely isolated environment anymore. There are too many air-gap bridging attacks. (See also Stuxnet).

      Now, those attacks require far more work than the anti-virus vector. And it's not likely to be used. But it should be expected that something valuable enough (to a nation state) will be breached.

        by davidwr ( 791652 )

        I'm not sure there is such a thing as a completely isolated environment anymore. There are too many air-gap bridging attacks. (See also Stuxnet).

        In practical terms, an isolated environment is one where the only way anything gets into the system is by a human being manually entering it, and the only way anything gets out by what a human being carries away with him either in his head or in his pocket/breifcase/other.

        I would count a system that has a keyboard or mouse for input, a video screen, printer, and maybe a "write only" media-writing tool (see below) that is in a room where electronic- or even look-at-the-screen-through-the-window eavesdropping

  • Make sure 4096 bits is 4096 bits (Score:1)

    by Anonymous Coward

    I worked for a startup as a contractor, and they were readying a security product to hit the market. It used public and private keys. Instead of generating and using a 4096 bit key (for securing files), it used sixty-four, 64-bit RSA keys. The reason for this is that the CEO wanted the ability to decode stuff in case a customer locked themselves out.

  • Worst:

    I use to work for a company, about a year ago, where no one had even the most basic concept of data security. During my time there I implemented MFA on all Servers, programmed in Data Encryption, Data Validation, Client Verification, DB Security and other such improvements. Well, I was showing the three other existing employees how the software worked and how the new infrastructure worked, they didn't like that it was now "hard" to log into the servers and that they would now have to use password a
      I use to work for a company, about a year ago, where no one had even the most basic concept of data security. During my time there I implemented MFA on all Servers, programmed in Data Encryption, Data Validation, Client Verification, DB Security and other such improvements. Well, I was showing the three other existing employees how the software worked and how the new infrastructure worked, they didn't like that it was now "hard" to log into the servers and that they would now have to use password a
  • I needed a long string to test some of my encryption decryption code. Some local test string for debugging and testing. It was just after 9/11. Naturally I wrote a long rant against Osama Bin Laden and used that as the test string. Encrypted, decrypted, round tripped, compared the strings, checked in the code. But forgot to #ifdef out the testing code.

    Some nosyparker busybody customer did a "strings" on our product and found the string and ratted out to our CTO. Nothing serious happened, just a slap on the wrist. But another colleague told me the same customer found the full "man from nantucket" in his test strings for the stringutil library he wrote. And another said that customer also found the "Fuck! Got null pointer again!" in his code.

    We think he was looking for some kind of debug switches and env settings that will disable license check.

  • I was summoned by a contract firm to a 500 person company that had been a victim of an inside job. They wanted a security review and fixes for "whatever that guy did". Turns out the guy was a half-assed developer. The client had spotty and in some cases non-existent backups. They wanted to pass a SOX audit (hahahaha!) while 20-30 machines were completely pwned and backdoored. He'd used everything from sub7 to more modern remote access & control tools. Some of the tools looked like ones he'd cobbled toge

