April 23, 2016 at 12:56 pm
Comments posted to this topic are about the item The Pen Test
April 25, 2016 at 6:56 am
Management accepts that security is a priority when the company gets breached.
April 25, 2016 at 7:02 am
Any idea on the costs? What percentage of the budget is security done right taking?
412-977-3526 call/text
April 25, 2016 at 7:34 am
Brent Ozar's popular sp_Blitz is mainly geared toward server configuration and physical modeling best practices, but it also contains some checks for security best practices as well; checking for things like accounts with sysadmin membership or mssql accounts with an empty password. The thing I like about the stored procedure approach to something like this is that it's open source and no time is wasted developing or supporting a front end tool. As DBAs, we can just install it, use it, and even retrofit or extend for our own purpose. There are proably 1,000 different things that could be checked, but it's the type of thing that can be easily crowd sourced by the community if we discover and additional check that others may find useful as well.
https://www.brentozar.com/blitz/
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
April 25, 2016 at 7:37 am
But out of the box SQL Server's default settings are tight as far as security is concerned. We don't really need to nail things down so much as avoid bad practices like turning on xp_cmdshell or creating an unauthenticated linked server connection.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
April 25, 2016 at 9:58 am
Iwas Bornready (4/25/2016)
Management accepts that security is a priority when the company gets breached.
....or more like...
Management accepts that security should have been a priority when the company gets breached.
i.e. nothing will change.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
April 26, 2016 at 2:54 am
Gary Varga (4/25/2016)
Iwas Bornready (4/25/2016)
Management accepts that security is a priority when the company gets breached.....or more like...
Management accepts that security should have been a priority when the company gets breached.
i.e. nothing will change.
??
When you have a professional pen test done it's frightening what they find. Some of it is pretty obscure and not the stuff a DBA would necessarily look for. Maybe a DLL with a buffer overrun vulnerability that should have been patched. Maybe ports left open where hackers can install some form of listening service.
You can be sat there thinking SQLServer is locked down tight and secure but your impregnable castle is built on sand and soft rock
April 26, 2016 at 5:45 am
Well, I have to agree with the editorial when it says
Maybe best of all would be getting software vendors to actually run these types of tools against their applications and provide some proof they've built secure code.
However, I think the prospect of vendors doing that is pretty remote. Why should they bother? It costs money, which will increase product price, and most of their profit comes from purchasing managers who know exactly nothing about security and aren't remotely interested in it, but do know about expenditure and that their success is measured by how small they make it. So it would reduce sales not increase them, and that would be a decrease in profits, and that's all most of the vendors care about so for most vendors it won't happen.
Of course if legislation were passed to make illegal the curent software licensing system where the vendor has no responsability to provide anything that is anywhere near reliable or safe or even functional, the picture might change; and making the big boys undertaking projects on behalf of giovernment bodies accept contracts that have genuine penalties for failure of function or of security might lead to more pen testing too. But those changes will never take place while a large body of politicians depend on the assorted corporate bandits for campaign donations and/or post political term cushy jobs, and that's not going to change any time in the near fututre.
Tom
April 26, 2016 at 11:36 am
Vendors won't, at least not until RFCs start to require some proof of testing. That won't happen until insurance companies put it in policies with companies.
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply