Thursday, June 22, 2006

To Admins:

Don't be cocky when it comes to security.
(For those of you unfamiliar with the English language, that dot at the end of the sentence was a period, it denotes the end of an idea or sentence, and eliminates the possibility that there are caveats to the statement.)

I'd like to cover a few points, if I may...

  • I know you are an admin, and that you've been doing it for a long time, and I'm very impressed; but you must realize that you are NOT a security expert.

  • Nothing is more unprofessional than a little chest-thumping or insulting my age when I find vulnerabilities in your website. Well, taking a dump on your boss's lap would be pretty unprofessional, but if you're doing that, you probably know that you're being unprofessional. "I've been doing this since you were in diapers!" may seem like a good point in your mind, but it doesn't change the fact that I found a vulnerability.

  • Don't get pissy when I break shit. It's on the waiver. I plan around your working hours so the impact is minimized. EXPECT ME TO BREAK SHIT. Because if I pull any punches, you're not getting the true vulnerability assessment you want. If I didn't try to break shit, then what happens when a malicious hacker actually TRIES to break shit? "Why didn't you tell me we were vulnerable to this kind of attack?!" "Because you didn't approve me to test for it." Don't ask for an incomplete test. It gives you no assurances whatsoever.

  • Jacks of all trades are masters of none. I'm very impressed that "back in your day" you used to write databases in assembly with one hand tied behind your back, maintain your own database, and chew gum at the same time, but knowing a bit about everything, and a lot about nothing is not something to be proud of. Reminding me to "check for open ports!" only shows me how little you know. Know your limitations, try to know what you don't know. And for cripes' sake; leave it to the professionals.

  • You can NOT run a scan on your own network or website. This is for everyone, myself included. Someone who works on the network they're scanning will not run a complete scan. There WILL be things you leave out, there WILL be avenues you don't follow, and it probably won't be on purpose. You can't run a complete scan on your own network. Period.

  • Divide your site into two sections, unauthenticated pages, and authenticated pages. NOT just authentication pages and non-authentication pages. I can't tell you how many sites I've gotten into because the login page was defended against every type of injection possible, only to find a help page or contact page that used an unprotected DB query to retrieve information. As cliché as it sounds, your doors are locked, but your windows are open.

  • Don't be afraid of a security audit. The only thing it will do is give you some holes to patch. If you think it will somehow expose you as being a bad admin (which you're probably not); just think of the alternative... Malicious hacker gets in, wreaks havoc on your network, and it takes you days to recover (if you're lucky!), only to find that the hacker is still in your network weeks later. Malicious hackers are hard to remove. Let a benevolent one tell you what to fix, so you can sleep well at night.

  • A Web Application Security Assessment, is NOT a Vulnerability Scan. 90% of penetrations occur through the web front-end; a patched, firewalled, anti-virus scanned, web front-end. A vulnerability scan checks for server vulnerabilities, not exploitable code in a website. There are very few automated scans that can perform good web front-end code checks, and none that can do it completely. What admins don't understand is that the web front-end is not suffering from a vulnerability, it's acting exactly as it should; it's just that it is allowing people to get away with functions they shouldn't be able to do. Know what you need, and hire someone who knows what they're doing.

These don't sound like unreasonable requests. Give them some thought. When's the last time you had a externally provided security audit? I'll bet the answer is either "over a year" or "never." Get the audit before it's too late.

No comments: