(This is a re-post from Advogato, which I no longer use.)
12 Apr 2000 »
My bill paying life is being security architect, which is a fancy term for a prostitute(security+++). I hate it occasionally on days like today. Visited a nice startup located in the deepest darkest recesses of Sydney town (Bligh St) and went through them like a bowl of ripe prunes followed by a calming laxative. But the worst part is that they’re nice people, the product is way cool, but they can’t do security to save themselves. Tips of the week:
- Program defensively; users will submit crap data to you from cookies, form and URL data, and anything else they can send your way. If you do not want the data from your app to appear on the front page of your morning paper, do not install the database on the web server, and do not have the dbms available to public facing networks
- Even if you have packet filtering, ipchains or a firewall, you need to look after the remote services you offer in case the countermeasures fail, or the filter/firewall lets something through that kills you another way.
- If you don’t have IDS tools (like tripwire/AIDE, etc) installed, your customers will tell you when you’ve been successfully attacked.
- If you have static data, host it on a CD-ROM. It’s impossible to change this. It is possible to point the DNS entry, the web directory, and the web server somewhere else, so it’s not a panacea, but it can help. It’s all cached once read in the first time.
Dan and myself (mostly Dan) reorganised the home machine room to make the server stack much more cable friendly and moved my dual PPro back into the machine room. It’s going to get toasty in here. Three PPro’s, three Alphas, and my PII laptop should all contribute to the heat death of the universe.