Software Vendor Security

  • Comments posted to this topic are about the item Software Vendor Security

  • Two thumbs up. We have an application (FootPrints) that we wont consolidate onto our primary SQL cluster because they insist on using the SA account for their database interaction. I'd thow using the SA account as another very dumb practice.

    --Paul Hunter

  • Paul Hunter (7/24/2010)


    Two thumbs up. We have an application (FootPrints) that we wont consolidate onto our primary SQL cluster because they insist on using the SA account for their database interaction. I'd thow using the SA account as another very dumb practice.

    Is this the same FootPrints that is used for tracking trouble tickets?

    The version we have doesn't use the sa password but the user account in use has elevated privileges. We can't change the password for that account on account of it breaking the application. We are in process of migrating away from that application on account of the horrendous security model it uses (as the primary reason).

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Mandating a specific account is a sign of a) poor securty and b) crappy development practice.

    We used to use Patrol from BMC at a company, and while it required admin/sysadmin privileges on previous Windows versions, it was actually our own developers that "reused" the service account we had set up for Patrol in other places to avoid worrying about security. It took me over a year to get that password changed after I started.

  • Is this the same FootPrints that is used for tracking trouble tickets?

    Yep, that's the one. It's an OK app from the users perspective (I guess) but deserves all the scorn you can heap on it for that practice (as does any other app doing this).

    Hint to application developers -- if you're doing your development using the "sa" account or any account that requires SysAdmin permission then you're doing something wrong.

    --Paul Hunter

  • Paul Hunter (7/25/2010)


    Hint to application developers -- if you're doing your development using the "sa" account or any account that requires SysAdmin permission then you're doing something wrong.

    And they deserve scorn as well.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • I would add as a bad practice vendors that mandate using the server name as a password (?).

  • Don't get me started on this one (if not stopped, I will rant on until deep in the night..... :p)

    [rant]

    As a (senior) developer myself I've always, always stuck to the rule that any kind of hardcoded configuration in application source-code is reason for immediate termination of contract. Even for one-off applications that will run as an only instance on the only known machine in the company itself for that one-off occasion to do a one-off process.

    It's shocking how often I've received a piece of code from one of my developers that wouldn't even run for testing on my PC because the developer hardcoded the database-connection to his own PC-name (and of course user PCs are configured not to accept any SQL-connections from the network, basta!)...

    Alas, security in general seems to be a topic everyone will try to avoid until burnt hard personally. How can I tell my son (18) that if he does not install firewalling and anti-virus, he is essentially a willing part of criminal organisations who use such "open" targets for their criminal intent (gone are the days where hacking was a sport with harmless effects like leaving "killroy was here!" messages on your screen.

    But the general public and even a large portion of software developers just don't seem to grasp that leaving your PC open for attack is the same as leaving your car-keys in your car in front of a bank with a sign saying "free get-away car for grabs!".

    [/rant]

    Spread the word on the importance of building security into software from the inside-out, bolting it on top as an afterthought is just not good enough anymore and should not be accepted from any of your vendors.

  • On another website I've seen the suggestion that this is a problem especially for closed source products-- the priority is to get working product out the door often with generations of internal patches and bandaids. Since no one (except possibly hackers) sees these kludges, and the product works properly, the vulnerabilities can go on for decades.

    Of course open source products have plenty of problems too, but they are exposed to a lot more eyes, and potentially, re-writes.

    ...

    -- FORTRAN manual for Xerox Computers --

  • One way to get some action (in US companies) is to tell your CIO that the software does comply with the required Sarbanes-Oxley (or other regulatory) guidelines.

    That will get the software removed from the system asap.

    Tell the vendor the reason why it was removed, and that you have written a letter detailing its security inadequacies to the appropriate regulatory agency for their review.

    It will only take one stink-bomb in the press - plus the resultant contract cancellations and huge sales drop - for many software vendors to get the message.

    Of course, you better be right and be able to prove you are right, 'cause the software company might come after you.

  • I've always loved going to the vendor with a concern on security, especially use of sa, or requiring some sort of sysadmin access, and getting the response "Gee, none of our other customers has complained. Why is it an issue for you?". I've successfully used the SOX bogeyman to get vendors to do things, expecially with vendors who don't really understand what SOX is about.

  • "How can I tell my son (18) that if he does not install firewalling and anti-virus, he is essentially a willing part of criminal organisations who use such "open" targets for their criminal intent (gone are the days where hacking was a sport with harmless effects like leaving "killroy was here!" messages on your screen."

    Firewalling and anti-virus are not really necessary anymore. Vista and up from installation on have NTFS settings that lock down the system. Even from the days of Windows 2000 I used to use NTFS to bullet proof my system against viruses and worms. And frequently only my computers will escape infections when all my friends computers got infected despite their having anti-virus and stuff. Of course those who don't know anything about locking down your system with NTFS will scoff at this suggestion of doing away with anti-virus software. With windows 2000 and XP I had to manually enable NTFS to lock down but from vista I found that I didn't have to do that, as it has NTFS locked down by default, so your son doesn't have to do a thing if he has vista or better.

  • umailedit (7/27/2010)


    "Firewalling and anti-virus are not really necessary anymore. Vista and up from installation on have NTFS settings that lock down the system."

    Whoah! Where did you get the notion that NTFS protects you from the trojan in that nice-looking free tinker-tool from some obscure Russian website (just because your friends told you it is REALLY COOL!)? If you willingly execute a file you just downloaded not a single NTFS setting will prevent the trojan inside to do its job. Only a good and up-to-date antivirus will scan said file and tell you it contains the trojan.

    Your advise will only hold in situations where the user is NEVER connected to the internet and NEVER plugs in a removable media from a "less reputable" source. I tell you, my 18yo is a far cry from such a user.

    Anyway, this is going off-topic. I was ranting about attitudes of non system administrators, who often think "it won't happen to me because I don't do dangerous things.". But sadly when you're dealing with real users, you DO need to put every security-measure in place that is possible. Which means (getting back on-topic) that software that cannot be configured to use minimum-required-permissions is a huge risk in any connected real business environment. Just plain refuse the use (and pay!) a vendor that does not have a secure attitude.

  • marco-870908 (7/27/2010)


    umailedit (7/27/2010)


    "Firewalling and anti-virus are not really necessary anymore. Vista and up from installation on have NTFS settings that lock down the system."

    Whoah! Where did you get the notion that NTFS protects you from the trojan in that nice-looking free tinker-tool from some obscure Russian website (just because your friends told you it is REALLY COOL!)? If you willingly execute a file you just downloaded not a single NTFS setting will prevent the trojan inside to do its job. Only a good and up-to-date antivirus will scan said file and tell you it contains the trojan.

    Your advise will only hold in situations where the user is NEVER connected to the internet and NEVER plugs in a removable media from a "less reputable" source. I tell you, my 18yo is a far cry from such a user.

    Anyway, this is going off-topic. I was ranting about attitudes of non system administrators, who often think "it won't happen to me because I don't do dangerous things.". But sadly when you're dealing with real users, you DO need to put every security-measure in place that is possible. Which means (getting back on-topic) that software that cannot be configured to use minimum-required-permissions is a huge risk in any connected real business environment. Just plain refuse the use (and pay!) a vendor that does not have a secure attitude.

    If you run under a non-privileged account, the trojan would fail to install or do its thing (which is the whole reason why they keep telling us not to run all day under our local admin accounts). That said - that certainly isn't 100% bullet proof, so I wouldn't go into stating antivurs and firewalls are irrelevant.

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • Matt Miller (#4) (7/27/2010)


    If you run under a non-privileged account, the trojan would fail to install or do its thing (which is the whole reason why they keep telling us not to run all day under our local admin accounts). That said - that certainly isn't 100% bullet proof, so I wouldn't go into stating antivurs and firewalls are irrelevant.

    Still not true. Even if you run on a restricted account (which IS good advice and the original topic of this thread in a different context), when you choose to install that cool new gadget (which secretly hosts the trojan), you provide your admin-account to do so. Poof, Trojan installs with admin-privileges. Only active analysis of the app you install and identifying the signature/behaviour of the trojan can warn the user what is about to happen -> which is NOT what NTFS does, only anti-virus software does this. And trust me: the average 18yo is bound to download and install gazillions of "cool gadgets" from utterly untrustworthy sources (some from honest hobbyist programmers creating something worthwhile, but many from malicious organisations using every trick in the book to entice users to install their trojan-carrier. And this behaviour is certainly not restricted to young non-IT users.

    In a business-environment the administrators can control most user's privileges so they cannot run any installation themselves (ever seen small companies do this?), but if the administrator installs software which opens the door for other processes to gain admin-privileges (running database-services with the sa-account directly or any other account with admin-privileges), you're still back to square one. So it comes down to the administrators to validate that the software being installed is clean and does not leave any door open, and hold vendors accountable for their software's security-practices.

Viewing 15 posts - 1 through 15 (of 20 total)

You must be logged in to reply to this topic. Login to reply