[aklug] Re: Information Systems Audit

Re-sending, because I intended this to go to the list, not just Damien.

On Sat, Feb 9, 2013 at 4:26 PM, Damien Hull <dhull@section9.us> wrote:
> Thanks for the information on this subject. I think I've learned two things.
> One, this is hard to do. Two, don't trust the programmers.
>
> It would be interesting to see how companies like Amazon and Facebook handle
> application security. I'm sure they have this down to a science. Maybe
> something along the lines of a security framework like sp800-30 by NIST and
> ISO 27001.

Lots of the frameworks boil down to:

* Document your policies, procedures, and standards.
* Don't use weak crypto.
* Track your assets and their owners.
* Use RBAC and its HR equivalents.
* Classify information, systems and zones.
* Don't suck at passwords.
* Log everything, and automate sifting and alerting on the logs.
* Use two-factor auth.
* Know and control what is leaving your network.
* KISS.

As to the big boys, on top of the above, they probably have:

* Automated code review tools, both from multiple vendors, and home-grown.
* Massive regression-testing suites. (Side trivia note: the test code
for SQLite is more lines of code than the code itself!)
* A carefully cultivated, witch-hunt-free culture of "not shooting the
messenger" who reports vulnerabilities.
* Vigorous and cross-disciplinary programmer training.
* Farms of fuzzers (both outside/brute-force, and
inside/application-aware), running constantly on test instances.
* Red-team and other penetration-testing exercises.
* "Game Day"-style DevOps
break-it-yourselves-before-something-else-does exercises (ref:
http://devops.com/2011/03/08/devops-culture-hacks/)

An interesting application of that last:

http://www.theatlantic.com/technology/archive/2012/11/when-the-nerds-go-marching-in/265325/

Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Feb 9 18:03:38 2013