Six Pillars Of Security, #2: Configuration, Internal Processes And Human Error

 

  • 1-mistakeCare with configuration. Misconfiguration is one of the top 5 reasons behind companies getting hacked.
  • For sensitive data and functionality, consider incorporating a per-role based permissions system to reduce risk, and help track what happened in the event of an attack.
  • Principle of least privilege again helps secure a system; a leaked password isn’t any use if there is no way to invoke important processes with it.

  • Team must follow the internal processes for any key handling. Security developers should be completely familiar with and other team members have read
  • Review any security vulnerabilities or concerns for third-party libraries. Some well known libraries have massive flaws. eg. XMLDecoder (which is core java, but the point still stands) allows XML external to trigger system processes and execute java code: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
  • Basic Action Points For A Team:
    • Look at existing configuration, can it be made more secure? Talk to those responsible for it.
    • Implement a policy of fine-grained roles/permissions, and least privilege if possible.
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s