“Enterprise” levels of insecurity

Why is it that “enterprise” applications have the worst security?

If VXers researched this area, they could bring corporates all over the world to their knees.

Typical mistakes include:

  • clear text management protocols
  • clear text authentication, if performed at all
  • excessive privileges required to do their tasks
  • poorly written and tested – it’s usually trivial to cause agents to seg fault or GPF with simple fuzz testing tools
  • Default configurations are insecure out of the box
  • Default username and passwords
  • require old software stacks which themselves have security issues
  • secretive and obtuse documentation particularly around security issues
  • Stupid limitations… like BMC Patrol’s requirement that all agents run at a matching security level … or else the console does not work. This makes for Big Bang changes in most environments which means no change.

I could go on, but my blood is boiling. If you are buying management software, buy *secure* management software. Don’t trust the vendor to tell you about this – evaluate the software in your environment. Use Ethereal and ettercap to detect if it’s sending clear text or replayable secrets over the wire. Use the trial softare against a default installation and see if you can manage your test hosts with default passwords.

Unbelievable.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *