jump to navigation

Start with security …or end with it April 13, 2015

Posted by mtv in Security.
trackback

I work with a wide variety of software vendors and see varying levels of security-mindedness in the products they peddle.  At best I’ll find moderate security-mindedness, but more often than not security is low on the vendor’s list of concerns because it is not their security at stake–it’s yours.

A few weeks ago I discovered a worm on one of my systems (running my least favorite/secure piece of software), notified the vendor, and a few days later the vendor sent out an alert to customers with steps to remediate the threat.  What was the fix?  To remove an unutilized jboss management interface.  What’s even worse is that this same web application was exploited 3 years ago, and the fix then was to remove yet another unutilized management interface.  Why were these interfaces included in their custom jboss implementation to begin with?  Laziness, in my opinion, and a clear failure to consider security in the development process.

We see time and time again that exploits occur when less-than-secure default configurations are not tightened up, and the time to do that is during development stages, NOT after a system is live.  Once you’re in production, the level of effort required to tackle security changes multiplies tenfold.  By ignoring these concerns initially you’ve made it so much harder for yourself, your organization, and your end users.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: