I've got a customer that is going over to the dark side (MS) because of
an application.

I am having a lot of fun ;-) with them because of security.

The first thing I found was that it is a step back in security as the
bank account and credit card numbers are not encrypted in the database
as they were in the prior system.

The application share on the server had write/update authority
restricted per good security. Their software keep giving a less than
useful pop-up at RANDOM times about a write error but no details about
where. Turns out they need update authority to a sub-folder (containing
a ton of executables) that they finally identified. The application
vendor wanted the server's share, containing everything but SQL, to be
unsecured. Only when I pointed out to them how users could accidentally
(I used Al Barsa's daughter story) destroy the application did they say
"Oh yeah, the payroll report archive folder probably should have limited
read access." Duh!

Next, they kept insisting that all users have ADMINISTRATOR AUTHORITY. I
kept telling them that each user has local administrator authority over
their individual PC but they weren't going to get server administrator
authority.

Later I get a call from the users that the vendor can't update their
software. Turns out they have end users run a liveupdate like utility
and thus would again require full access to the application share. I
created a "special" user with full authority to the share and told the
two managers they could log into their PCs with it to run the liveupdate
and then log out.

Since then the users (not the vendor) have identified at least six more
sub-folders that they need write authority to for temporary/report
files. These sub-folders are NOT under a common folder other than the
root of the share.

Today I got a call from the GM that he wanted the entire share unsecured
so they could finish training with the vendor. He didn't care about
security/virus, just wanted it done NOW and worry about other things
later. The vendor told him they could secure everything from within
their application. The application only restricts users use of programs.
Remember AS/400 menu security. :-D

This is not a mom and pop business with just two or three users. It's
not a big one either but they have had a few employees that knew enough
to be dangerous but later got fired for other problems.

It is also not a small vendor. They claim to have thousands of customers
of the application.

What I need, and am asking the list for, is some authoritative
documents/best practices to show the exposure the vendor is putting the
customer at risk of. The bigger the horror stories the better. Also,
standards that prove how easy (and long they have been around) it is to
have the application properly designed for security.

Thanks.

Roger Vicker, CCP


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.