• A Tangible (negative) Impact of the Sun/MySQL Acquistion

    17May
    Author: ned Categories: Infrastructure, Ramblings Comments: 1

    MySQL didn’t escape the Sun acquisition unscathed… hopefully Oracle doesn’t make the same dumb mistakes.

    I took (what I thought would be) a few minutes this afternoon to upgrade a group of production MySQL servers at Applied Trust. I started by following the same process I have followed for at least four or five years: browse to mysql.com, click on “Download”, and follow the links to the latest RPMs for my Linux distributions.

    The download went as expected, with the consistent MySQL branding lulling me in to a false sense of ease – this was something I’ve done dozens of times. I shouted down the hall that I’d be ready to start grilling dinner in a few minutes. Next, I scheduled downtime, did the necessary change documentation, and brought one of the slave MySQL servers down – I was ready to upgrade the database.  I typed sudo rpm -Uvh MySQL-*-5.1.34-0.rhel5 and my pleasant ride through upgrade-land came to a screeching halt:

    Read more »

    Tags: , , ,

  • Trusted Colorado IT Vendors

    23Nov
    Author: trent Categories: IT Management Comments: 2

    One of the most common queries I get from friends in the IT space is “Hey Trent, do you know someone that can help my organization with _______.”  The subject varies, but the goal is the same: to get a referral for a vendor that had a proven track record, is inexpensive, reliable, and will generally make the people who chose them look like a star. Of course, my hope is that when folks ask their buddies “Who do you use for IT Security and Infrastructure?”, the answer is Applied Trust.

    In my experience, finding those trusted IT vendors is very, very difficult.  Usually it takes actually trying a handful of vendors before one rises to the top.  Here’s the set of vendors that I personally trust, and where I often refer folks (and no, they didn’t pay me to mention them here!):

    Read more »

    Tags: ,

  • Like it or not, virtualization is in it for the long haul

    19Nov
    Author: ben Categories: IT Management, Ramblings, Security Comments: 0

    The Lone Sysadmin, Bob Plankers, comments on the lack of vendor commitment to virtualization, and I fully concur. I see it especially with smaller, proprietary niche vendors. They’ll threaten to pull support entirely if their software is hosted on a virtual system.

    The core problem, in my view, is that they just don’t understand it. It’s not limited to virtualization, either. There’s push back on patching (on all platforms), joining systems to a Windows domain, changing account passwords or privilege levels, even locating multiple systems on different subnets!

    My take is that many of these vendors do not come from an IT background. They are experts in some field, identified a problem that needed automating, and hired somebody to write the code for them, with no understand of security or architectural implications. They’re often very good at solving the problems in that niche, but when that system plays a role in a larger enterprise there’s no understanding of the big picture.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: ,

  • The front and back of application security

    22Oct
    Author: ben Categories: Security Comments: 0

    When we think about (or google) application security, most often we’re thinking about the common web application attack vectors – cross site scripting, injection vulnerabilities, and session management. With the prominence of the web as a new delivery platform, and the corresponding security standards and regulations developed around it, there’s no doubt that it needs a lot of attention.

    However, there’s a layer between the application’s internal security and the operating system that is less prominent in the eyes of the industry. For convenience, I’ll refer to it as the application platform here. The platform includes the nuts and bolts of integrating the application in to the environment, and includes things like:

    • File transfers between application components or servers
    • Log file location, centralization, and audit settings
    • Database server security (you’re not running SQL as a domain admin, right?)
    • Server role segregation at the network layer

    It’s a combined responsibility of the application and system administrators, along with a data security professional, to ensure that this layer isn’t ignored. Ideally, a full procedure should exist to make the implementation process efficient and tidy.

    If you’re hiring a vendor to deploy a fancy new proprietary application, they’re likely not going to be willing or able to ensure that it meets your strict internal security requirements. I’ve even met vendors that hadn’t planned to join their Windows servers to the domain, and tried to insist that it would be a support contract violation! Until we’re all enforcing certain security requirements on vendors, this attitude isn’t likely to change, but that’s a topic for another day.

    I cover background and a full process on this at length in the February 2008 issue [PDF] of INSECURE magazine (and in HTML format on the Applied Trust web site).

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , ,

Subscribe:

Popular Posts