Certifications are good things, or so I’ve always thought. Though the more work I do to help achieve ISO 17799 compliance, I’m beginning to dislike them. This has been steadily adding work since I started this job in December, but now that we are only a couple weeks away from what should be our final audit, the work is coming a lot faster. We’re working to ensure everything we have in production meets the requirements of the standard, which has proved to be rather difficult.
The primary issue has been in data access, eliminating all direct SQL queries, and replacing them with stored procedures. While this isn’t that difficult, when there are dozens of systems that need updates, it adds up surprisingly quick.
Security is always a good thing, and when dealing with sensitive personal information of thousands of people, it’s very important. So I’m not complaining about the security required, but when you are trying to cleanup from years of more relaxed practices, it takes a surprising amount of work.
My employer recently completed the final audit to confirm ISO 17799 compliance, the process was a real eye opener. In a process that should have been fairly short & painless, the ordeal lasted close to a year, with me joining the company just before the second, and largest audit. That made my first few weeks rather interesting, to say the least.
While 17799 does have some complex requirements, most of the issues found had more to do with the overall mentality than with the true technical issues involved.
Whether you are running a bug bounty, or just want a useful way to classify the severity of security issues, it’s important to have a threat-model for your application. There are many different types of attackers, with different capabilities. If you haven’t defined the attackers you are concerned about, and how you deal with them – you can’t accurately define just how critical an issue is.
There are many different views on threat models; I’m going to talk about a simple form that’s quick and easy to define.
There are two ways to implement security:
Real security, based on empirical evidence and analysis. Checklist security, based on the latest checklist somebody says is important. When security is based on real evidence and analysis, policies are enacted based on real gain and measured against the business impact. Risks are considered, and the costs versus benefits are well understood so that policy choices are based on real, useful information.
On the other hand there’s security by checklist.
Update: I had a call with Ensafer’s CTO, Trygve Hardersen to discuss the issues I brought up, and what they can do about it. First, they updated the site so that downloads are now over HTTPS. He stated that the infrastructure that powers their service is separate from the website, and everything is over HTTPS. They are working on making documentation available, and hope to have the first documents available soon.
I installed Vista last night twice; the first was an upgrade from XP Pro on my laptop, the other a fresh install on my desktop. The experience was quite interesting for both; here are a few thoughts about the process:
Laptop My laptop has a fairly modest configuration, 1.73GHz Pentium M, 512MB, 80GB hard-drive, and Mobil Intel 915 64MB for the graphics. It’s been running Windows XP Pro, last night I went through the upgrade process to Vista Business.
