Tuesday, December 18, 2012

troy and elephants

Recently we have been receiving many emails about security vulnerabilities in internet facing websites, almost everyday, which resembles the story about 5 men describing how the elephant is like based on touching the ear, trunk, leg, body, tail.


Email 1: please ensure that all internet applications have proper security.

Email 2: please ensure that all vendors check their applications to ensure that there are nov vulnerabilities. 

Email 3: please conduct your own security tests before monitoring them because any high risk alert detected will be a big issue. 

Email 4: please make sure all vendors are prepared for the xxx scan exercise on auspicious-date. 

Email 5: please make sure applications are secured against sql injection attacks. 


The worst case scenario is if this elephant is role playing the horse in the invasion of troy. Meanwhile we still will be pre occupied with elephants.

Wednesday, December 5, 2012

recent ramblings on how i talk with common sense

Individual applications need to raise their own SR (service requests) to check their connectivity to the mail server. That was what my colleague told me when I asked whether the connection to the new mail server resolves the email sending problem, he said it didnt resolve his problem, and even though the firewalls have been cleared, individual applications (read: servers) need to raise their own SR to check that the firewall is indeed cleared.

Huh? I was stunned. My colleague gave me a frustrated look and said that he had been arguing with the network guy to no avail, and arrived at this arrangement, so I went to talk with the network guy.

Me: Why do I need to raise 5 people to raise 10 SRs to check the connectivity to 1 stupid mail server?
Network guy: Because each server is different.
Me: And so you mean the firewall clearance is different for each server hence require a different SR to test?
Him: Technically yes.
Me: It's a waste of time. Did you raise 10 requests to clear 10 IPs and ports to 1 stupid mail server? No right? You combined all into 1 request, so why is it now my job to ensure that your firewall request is done, and by that I mean having to test the connectivity for each server to the mail server?
Him: It's ok, I will do it.
Me: Ok good.

I went back to my colleague and told him the network guy said he will do the connectivity test for all the servers. He was flabbergasted because he felt like he wasted his time raising the SR for his own application. That was few days ago.

Today the infra guy (not the network guy) sucked a good few hours of my time trying to convince me that his technical specifications for a project was sufficient. At first I told him just stating the server model and RAM (memory) is not enough, and the specs are too low for me as well, after 2 days, he came back with a revised specs, slightly better, with more information, but still no OS (operating system) information.

Me: So if the vendor gives you unix will you take?
Him: No.
Me: Why? You didn't say you don't want unix you know?
Him: They should know we use windows.
Me: Why should they know when you didn't say?
Him: It's implied that we use microsoft products, so they should know we use windows server.
Me: I can use microsoft products, but my DC (domain controller) is unix, right?
Him: Yes.
Me: So is writing windows server important?
Him: Let me think about it.
Me: What if they tell you they want to install a unix DC because in your specs you didn't say you already have a windows DC? Will you let them install?
Him: No.
Me: So? Are you going to write that you are using a windows DC?
Him: We don't write this in specs normally, let me think about it.
Me: You can think, but I want it in.

No moral of story, just ramblings.