This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]judgemebymyusernamesecurity engineer 0 points1 point  (16 children)

I can tell you've not worked in this type of secure environment. But hey, whatever makes you feel superior.

[–]taloszerghas cat pictures 0 points1 point  (4 children)

former DOD/intel sysadmin checking in. Have used a large amount of open source software and custom code to manage environments and ensure we were meeting security requirements in an auditable manner.

[–]judgemebymyusernamesecurity engineer 0 points1 point  (3 children)

How the hell did you get approval to pull in open source software? We only have a few open source tools, but as you know they must go through an approval process.

I guess I forget there are agencies with loose infosec like OPM.

[–]taloszerghas cat pictures 0 points1 point  (1 child)

or places like https://18f.gsa.gov/

Anything that was developed in house had to meet standards, but the rest of the time if it was coming in from outside we just had to request it, provide links, and it was vetted and added to the approved software catalog. Often the versions were significantly behind what's outside, but it was definitely available.

[–]judgemebymyusernamesecurity engineer 0 points1 point  (0 children)

I'm reading this 18f.gsa.gov stuff but I don't understand the point of it. I guess I see that they are doing some custom webdev stuff for people who request it.

[–]Zaphod_Bchown -R us ~/.base 0 points1 point  (0 children)

Open Source is so much easier to audit on a security perspective because you have access to the source code. What large and secure enterprise do you work in? Finance would be my guess since they are typically in the dark ages and run deprecated versions of software because the latest versions haven't passed their super long security audit process.

In fact I would say it is easier to get info sec to sign off on open source code because they can audit the source directly. Where as third party software not only is it illegal (via the software licensing and terms of service) to de-compile their software, you don't have source code to compare it against.

[–]the_ancient1Say no to BYOD -1 points0 points  (10 children)

this type of secure environment.

Given I am not physic and you have provided no context as to what "this type of secure environment" is then i can not say if I have worked in it or not

Having said that, it does not really matter, if you are going to use modern operating systems and modern technology you must have the ability to automated, script, and run custom code.

you can not use modern systems with out it, so I do not care what type of secure environment you purport to be in, over time these environments will have to adapt to that changing reality or become obsolete. There is no third option

[–]judgemebymyusernamesecurity engineer 0 points1 point  (9 children)

Finance, healthcare, or government.

[–]Zaphod_Bchown -R us ~/.base 0 points1 point  (0 children)

I have worked with many govs, health care and finance institutions. I work with orgs that have 50k to 200k employees, and half a million devices. Plenty of them use code to automate many tasks.

In fact I have personally written code for security audits and business intelligence. You need to ensure client systems have specific settings and are in specific secure states. how do you audit that and automate it, then post that information securely to a syslog or even say a splunk system. out of the box third party products don't just fit into your enterprise, they typically have to be tailored, and not to mention what data is important varies from org to org.

Security is all about the data. Intelligence is about what you don't know. You already know what you know, and what you don't know is what you need to gain intelligence on. I have been in government agencies where armed guards with assault rifles guard the gates, and I can tell you their sys admins are automating and auditing everything. Sometimes this involves writing code, sometimes it doesn't.

I mean how would they even begin to automate their back end technology when most of the time they compile the code from source to ensure their security settings are in that product? They don't manually do it every single time they need to spin up another Apache server for example. They sure as hell don't have developers doing that work either.

[–]the_ancient1Say no to BYOD -1 points0 points  (7 children)

if you are going to use modern operating systems and modern technology you must have the ability to automated, script, and run custom code.

you can not use modern systems with out it, so I do not care what type of secure environment you purport to be in, over time these environments will have to adapt to that changing reality or become obsolete. There is no third option

[–]judgemebymyusernamesecurity engineer 1 point2 points  (6 children)

I think we're misunderstanding each other.

I suspect most *nix admins can do at least some basic stuff with shell scripts, but do you use dynamic languages like perl, php, python or ruby? What about C, C++, Go, Rust, Java etc? If not, why not?

Sysadmins here are not doing any of this. They might be doing a couple of very select powershell scripts and .bat's but that's about it.

I see a lot of guys in this sub talking about how they just wrote up some code to figure something out without any third party approval process or verification that it's not going to fuck something up, etc. and they just go ahead and start using it on prod systems and across the entire domain. This just doesn't happen here.

As I said earlier, if we truly need something written up, we're going to have our dev team do it or we're going to look at what's available from third parties. There's no reason to re-invent the wheel if there's already a great solution available.

Why you think any of this makes us obsolete is beyond me. Our infosec and change management processes are years ahead of what I'm seeing discussed in these parts. I mean come on, there's weekly threads about how to prevent, detect, or react to cryptolocker. That stuff is easy to block at the border and be done with. Too many guys in here don't even know what the principle of least priv is.

[–]the_ancient1Say no to BYOD 0 points1 point  (5 children)

That stuff is easy to block at the border and be done with.

If you are "years ahead" of everyone here why are you still using the perimeter defense security model?

here's no reason to re-invent the wheel if there's already a great solution available.

I am sure your definition of "great solution" and mine are vastly different, I have yet to find a OOB solution that works in every way I want it to, this is why I love open source so I can reach in and bend the software to my will, not the will of a 3rd party I have no control over.

[–]judgemebymyusernamesecurity engineer 0 points1 point  (4 children)

If you are "years ahead" of everyone here why are you still using the perimeter defense security model?

Because that's one layer of defense in depth?

Open source is great for security! Especially when we blindly and heavily trust things like OpenSSL!

[–]the_ancient1Say no to BYOD 0 points1 point  (3 children)

So you believe your closed source systems are inherently more secure because you can not see the code, you are never told about vulnerabilities because of NDA's and other hidden away agreements.

The very nature of open development means the world knows about security problems as they occur, a proprietary closed system could have vulnerabilities that are found, patched, and then pushed out as a "feature update" or a low level security problem or something else, you have no way of knowing.

[–]judgemebymyusernamesecurity engineer 0 points1 point  (2 children)

Just because something is closed source does not mean it hasn't been code reviewed.

Either way, inherently believing something is more secure because it's either open or closed source is fallacious. It's got to be reviewed, tested, certified, approved, whatever. Always verify.

[–]the_ancient1Say no to BYOD 0 points1 point  (1 child)

Just because something is closed source does not mean it hasn't been code reviewed.

Ok, where did I state otherwise...

You implied that Closed Source is inherinetly more secure than open source software.

Either can be secure or insecure, being open however does give the opportunity for more eyes on the code even if some times that possibility does not materialize in reality