March 13, 2007
The hardcopy edition has Morgan’s tips for IT Managers that the link doesn’t but worth a read anyway:
www.misweb.com/magarticle.asp?doc_id=26121&rgid=2&listed_months=-1
Comments (0)
March 12, 2007
This will be interesting to follow:
www.computerworld.com.au/index.php/id;539294509;fp;16;fpid;1
March 9, 2007
Let me from the start, take consulting dudes (external) out of the picture, because, obviously we / they know everything and recommendations and reports presented by them / us weigh a tonne compared in most cases to what internal dudes say.
Now, to the point of the question – why would any normal person want to be an internal security manager/admin/analyst when:
1. You’re everyone’s mate when you join. You’ve been brought in as the golden child to solve the company’s problems. Every IT dept manager is keen to meet and “brief” you on how life in the organisation is and should be, and within a month or so, as you start to display your talent, you’re no longer a “team player”.
2. Everything you were told before signing the contract about your sway in the business, your ability to effect change and improve things, in reality means: the organisation that pays you, will fight you every step of the way before allowing you to perform what you believe your role to be. In most cases, you won’t be able to.
3. Your fellow IT guys will have no sympathy or empathy for what you do. (You think, how are some of these people working in IT? You see you are the minority)
4. You feel like you’re the sole voice in telling the dudes you work for that they have major problems. Even when you get an audience with “management”, you get lip service only.
5. You battle every step of the way to achieve even small gains.
6. You spend most of your time wondering why TF you are there and life must be better elsewhere.
7. The company engages consultants (See section on “Management Consultants” chapter in Scott Adam’s “Dilbert Principle”) who come in, cost heaps, tell the company what you already told them, their recommendations are taken on board and you are asked why this isn’t happening already.
It’s a rare breed that does this role. My first post on this blog talked about “Irish” – this post covers that again.
Keen on your thoughts.
March 5, 2007
The recent figures posted by Accunetix (see previous post) were an eye opener to many – including long term IT industry guys…….and that is a concern.
The simple facts are that most people do underestimate the problems out there on websites and are comfortable in believing that many in the IT Security business are being alarmist, far more than they should be, and doing no more than trying to keep themselves in business.
The truth is that bad things are happening out there and just because people don’t hear about it, doesn’t mean it isn’t happening. We know, because we see it everyday.
Are web developers getting smarter in regards to secure coding? Based upon our experience, I’d say they’re not. Most haven’t heard of OWASP, have never been taught secure coding practices / skills and rarely work in an environment where security plays a role in the SDLC.
I’m not just talking about internal developers – you can lump in third-party hired guns into that category. It never ceases to amaze me when we review new sites developed for organisations by so-called experts.
A good friend is the CEO of a manufacturing business – offices in Australia, Asia and the UK. While they’ve had a basic web presence and e-business capability for a while, they recently paid for the development of a new B2B and B2C site. Good dollars exchanged hands. Now CEO is no IT guru but when dealing with a supposedly reputable development shop, he does expect a quality product for his dollars. As a favour, we offer to test the site for him. Now where do we start?
- Information leakage throughout
- Access for anyone on the net who wants to track who’s buying and how much from his company
- User-friendly access to admin screens to test password guessing capabilities
- Convenient site back up including all application source code zipped up in preparation for anyone to download
- Detailed error reporting to support our “tests”
- A nice photo of a baby in a bath with its mother (we guess it could be one the developer’s new born baby) – though you’d have to know where to look on the site to find it.
- etc etc etc ….. it goes on and on……and we’ve barely gotten into any real testing as yet.
An exception? No!
If anything, the Accunetix figures could be pumped up another 20% and I reckon you’d be closer to the mark.
DD