Skip to main content

Security Software and the Cowboy pants

Starting to feel a sense of frustration. No it doesn't effect me personally. I am still the same 'white hat' as always.
I went through the series of interviews for different positions recently. It was an absolute waste of time. What caught my attention is a level of arrogance and mindless stupidity coming from the people who should be paying attention. Each interview was along same well travelled paths:
Can you install software?
Can you connect it to the ERP (or whatever they connecting it to) ?
etc.
So they all concentrate on the Functional requirements. Most forget the security of your software falls into the Non-Functional requirements.
No one had a slightest idea that before you implement Functional requirements you need to make sure that your 'Security Software' being it Sailpoint, Oracle or Forgerock or whatever:
is in itself secured.
The buzz word 'security software' doesn't make it to be secure on its own.
Someone has to do it.
Otherwise your Security Software will be looking like a cowboy wearing pants with two guns in the front pockets and two wide cutaways in the back.



Yes your company rear will be exposed.
Almost all of the vendors use 3 tiered system:
Front web tier
Application tier
Database Tier
If none of these tiers are hardened and secured you will end up with the pants above.
Any IAM implementation project therefore need to start and concentrate on fulfilling the Non-Functional requirements first and foremost.
Only after the Non-Functional requirements are tested and approved the Functional requirements can be addressed.
I strongly recommend to follow NIST, ASD and some other standards to secure the 'Security Software'.

But you can always buy pants as they are widely available out there :) and plenty of integrators who are happy to sell them.

Comments

Popular posts from this blog

Fight for the Light within

Finally I understand. Or it seems that I do. There is no Attainment. My whole approach to life around me was and is wrong. The energies around me is not be controlled, they are to be adapted to and allowed to freely pass without interferring. John Lennon sang about it in his 'Fool on the Hill'. But his main theme was somewhat passive and reflective - 'See the world going round'. The true mastery is when you are riding the never ending 'merry-go-round' of life energies like a surfer - using high waves to propel you forward to the shore of your goals and destiny.  Inevitably will be the times when I will fall and will have to climb back on my board and attempt to catch the next wave.  Will be the times when I will be scared by the magnitude of the wave coming towards me and possibly the sharks swimming nearby.  I will see other people drowning and not reaching the shore and shouting to me: 'Its hopeless we will all drown'. Will be times...

Locomotive Breath

Living through the transition period is quite extradionary. We all kinda know and anticipate the outcome but not in a position to do anything about it. Like watching your train leaving the station and taking you for a ride. Matrix showed us the final result with humans being used to power machines. We all in one or the other way using our own energies to breathe the life in cold metal - building networks, programming and maintaining computers. They getting smarter and smarter and we are all excited about the possibilities of artificial intelligence. But the train will arrive to the next station and it will be our turn to get off. The train will be smart enough to move on its own without us. The train will be smart enough to look for sources of alternative energy if we try to stop it. Jethro Tull - Locomotive Breath https://www.youtube.com/watch?v=i19d1QnstsA&list=PLvy5jih231dYToxVkCz4xN2SX6zqVkeYT&index=17

F5 APM

I have been playing with F5 LTM APM since 2012 and noticed that it is getting popular and more prominent. The easy interface and configuration makes a tool of professional choice. I have advising many network teams on how to configure and properly use F5 with different vendors IAM. It is even more important as F5 has Virtual Edition meaning you can design your private cloud IAM and enjoy F5 SSO to your protected apps. The trick is to make sure you have license for the Application Policy Manager - APM. As you can see from the screenshot above once APM is licensed it is just one pull-down from the menu. You can configure F5 to be your SAML IDP or SP the choice is limited to your imagination. In the next posts I will walk through typical SAML SSO setup with Oracle Access Manager Stay tuned :)