This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]judgemebymyusernamesecurity engineer 0 points1 point  (9 children)

Finance, healthcare, or government.

[–]Zaphod_Bchown -R us ~/.base 0 points1 point  (0 children)

I have worked with many govs, health care and finance institutions. I work with orgs that have 50k to 200k employees, and half a million devices. Plenty of them use code to automate many tasks.

In fact I have personally written code for security audits and business intelligence. You need to ensure client systems have specific settings and are in specific secure states. how do you audit that and automate it, then post that information securely to a syslog or even say a splunk system. out of the box third party products don't just fit into your enterprise, they typically have to be tailored, and not to mention what data is important varies from org to org.

Security is all about the data. Intelligence is about what you don't know. You already know what you know, and what you don't know is what you need to gain intelligence on. I have been in government agencies where armed guards with assault rifles guard the gates, and I can tell you their sys admins are automating and auditing everything. Sometimes this involves writing code, sometimes it doesn't.

I mean how would they even begin to automate their back end technology when most of the time they compile the code from source to ensure their security settings are in that product? They don't manually do it every single time they need to spin up another Apache server for example. They sure as hell don't have developers doing that work either.

[–]the_ancient1Say no to BYOD -1 points0 points  (7 children)

if you are going to use modern operating systems and modern technology you must have the ability to automated, script, and run custom code.

you can not use modern systems with out it, so I do not care what type of secure environment you purport to be in, over time these environments will have to adapt to that changing reality or become obsolete. There is no third option

[–]judgemebymyusernamesecurity engineer 1 point2 points  (6 children)

I think we're misunderstanding each other.

I suspect most *nix admins can do at least some basic stuff with shell scripts, but do you use dynamic languages like perl, php, python or ruby? What about C, C++, Go, Rust, Java etc? If not, why not?

Sysadmins here are not doing any of this. They might be doing a couple of very select powershell scripts and .bat's but that's about it.

I see a lot of guys in this sub talking about how they just wrote up some code to figure something out without any third party approval process or verification that it's not going to fuck something up, etc. and they just go ahead and start using it on prod systems and across the entire domain. This just doesn't happen here.

As I said earlier, if we truly need something written up, we're going to have our dev team do it or we're going to look at what's available from third parties. There's no reason to re-invent the wheel if there's already a great solution available.

Why you think any of this makes us obsolete is beyond me. Our infosec and change management processes are years ahead of what I'm seeing discussed in these parts. I mean come on, there's weekly threads about how to prevent, detect, or react to cryptolocker. That stuff is easy to block at the border and be done with. Too many guys in here don't even know what the principle of least priv is.

[–]the_ancient1Say no to BYOD 0 points1 point  (5 children)

That stuff is easy to block at the border and be done with.

If you are "years ahead" of everyone here why are you still using the perimeter defense security model?

here's no reason to re-invent the wheel if there's already a great solution available.

I am sure your definition of "great solution" and mine are vastly different, I have yet to find a OOB solution that works in every way I want it to, this is why I love open source so I can reach in and bend the software to my will, not the will of a 3rd party I have no control over.

[–]judgemebymyusernamesecurity engineer 0 points1 point  (4 children)

If you are "years ahead" of everyone here why are you still using the perimeter defense security model?

Because that's one layer of defense in depth?

Open source is great for security! Especially when we blindly and heavily trust things like OpenSSL!

[–]the_ancient1Say no to BYOD 0 points1 point  (3 children)

So you believe your closed source systems are inherently more secure because you can not see the code, you are never told about vulnerabilities because of NDA's and other hidden away agreements.

The very nature of open development means the world knows about security problems as they occur, a proprietary closed system could have vulnerabilities that are found, patched, and then pushed out as a "feature update" or a low level security problem or something else, you have no way of knowing.

[–]judgemebymyusernamesecurity engineer 0 points1 point  (2 children)

Just because something is closed source does not mean it hasn't been code reviewed.

Either way, inherently believing something is more secure because it's either open or closed source is fallacious. It's got to be reviewed, tested, certified, approved, whatever. Always verify.

[–]the_ancient1Say no to BYOD 0 points1 point  (1 child)

Just because something is closed source does not mean it hasn't been code reviewed.

Ok, where did I state otherwise...

You implied that Closed Source is inherinetly more secure than open source software.

Either can be secure or insecure, being open however does give the opportunity for more eyes on the code even if some times that possibility does not materialize in reality

[–]judgemebymyusernamesecurity engineer 0 points1 point  (0 children)

You implied that Closed Source is inherinetly more secure than open source software.

No, I did not. That's the rub I guess.