jarick 15608 (4/24/2014)
"Then people should vote with their feet. '
Gaz, The problem is that the software companies and developers who use the worst security practices in their works also seem to have the best marketing departments and they seem to have a way of convincing executives into buying their software before they get a decent technology review. I've seen a lot of packages with a requirement of using the SA login for the install. If I had any say, that would be the end of the review and I would kindly show the developer or salesperson the door. However, by the time the DBA and Security teams see the software, it has already been purchased and sponsored by an executive who wants it installed last week.
The push needs to come from someone in senior management with some security smarts. In my experience, very few executives have this knowledge. I've seen quite a few CEO's who never even touch a computer at the office, still preferring paper printouts that their secretaries make for them. These are the same guys who make million dollar purchases on software and that gets pushed through.
I totally understand. I would recommend highlighting the issue and demanding authority from them to install it.
I have seen this work its way up the chain because no one wants to take responsibility for it. Once it reaches high enough either you tend to receive a JFDI (Just Do It) down the chain or an officer of the company will approve it thus making them liable for the decision. Imperfect, I know.
-- Stop your grinnin' and drop your linen...they're everywhere!!!