Been using UNIX since the late 80s; Linux since the mid-90s; virtualization since the early 2000s and spent the past few years working in the cloud space.
Location
Alexandria, VA, USA
Education
B.S. Psychology from Pennsylvania State University
"Checkbox security". It really exposes that your organization's security "experts" aren't. Manifests itself in ways like:
System fails a security-scan because it doesn't have IPv6-related security-settings present ...even though you've explicitly wholly-disabled IPv6 on the system
A container fails a security-scan because it wasn't built from a "full OS" type starting-point. Never mind that the container is so minimized that it has almost no attack-surface: your IA guy wants you to start with a container that emulates a full Linux distro before you start loading code into it. So, just so the clueless IA guy wants his scanner to work, you have to bloat-out and increase the attack-surface of your container.
An RPM (etc.) gets flagged because the RPM version-number makes the (brain-dead) scanner think that you're running Apache 2.4.6 when you're actually running a version that's been patched for all the known flaws. Then you have to explain CVEs and how to update the scanner so it understands that "oh: this particular packaging is actually safe"
A security-assessor telling you "you've got too many admin accounts" because you've got uniquely-privileged accounts for each individual service. Explaining, "each one of these accounts has a custom, least-privileges access-profile built into it and each one of these accounts has unique authentication-credentials, if I follow your advice and move to one, uber-admin credential, if an attacker breaks that account, they pwn everything in the enterprise, not just this one system or service-stack"
...The list goes on and on. It's especially frustrating when you're in an organization that says it wants to do risk-based security but none of their designated security "experts" understands actual risk-analysis.
How's this rant relevant: check-box security SME's are far more organizationally-dangerous that someone sharing a password to
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
"Checkbox security". It really exposes that your organization's security "experts" aren't. Manifests itself in ways like:
...The list goes on and on. It's especially frustrating when you're in an organization that says it wants to do risk-based security but none of their designated security "experts" understands actual risk-analysis.
How's this rant relevant: check-box security SME's are far more organizationally-dangerous that someone sharing a password to