Why is it that “enterprise” applications have the worst security?
If VXers researched this area, they could bring corporates all over the world to their knees.
Typical mistakes include:
- clear text management protocols
- clear text authentication, if performed at all
- excessive privileges required to do their tasks
- poorly written and tested – it’s usually trivial to cause agents to seg fault or GPF with simple fuzz testing tools
- Default configurations are insecure out of the box
- Default username and passwords
- require old software stacks which themselves have security issues
- secretive and obtuse documentation particularly around security issues
- Stupid limitations… like BMC Patrol’s requirement that all agents run at a matching security level … or else the console does not work. This makes for Big Bang changes in most environments which means no change.
I could go on, but my blood is boiling. If you are buying management software, buy *secure* management software. Don’t trust the vendor to tell you about this – evaluate the software in your environment. Use Ethereal and ettercap to detect if it’s sending clear text or replayable secrets over the wire. Use the trial softare against a default installation and see if you can manage your test hosts with default passwords.