Publication: XML Journal
Publication Date: 01-DEC-03
Delivery: Immediate Online Access
Author: Morrison, K. Scott
Article Excerpt
True story from the consulting trenches: the operations staff had left hours ago, shaking their heads and reluctantly leaving the consultants to resolve a problem with their code. It was well past midnight, in the middle of winter, in a town many time zones from home. The project was late. Altogether, this was an awkward situation that you probably know well.
**********
The consultants--falling into that murky classification of not quite outsider, nor regular employee--worked from hobbled accounts; the security staff were pros and took their charge seriously. By 2:00 a.m., the group was stuck. They needed to change a properties file residing on a remote server, but the distributed file system wouldn't allow it, rightfully sneering at the group like the grubbiest serfs in the kingdom. But there was a Web server ...
... And this server was running as root. Before you could soy "exploit," our team had all of the rights and privileges of the king of the castle. They tweaked the configuration, muddied the logs, and lo and behold, the software began to run as designed. The client was thrilled the following day; the application movcd into production; everybody got paid.
Is this an allegory illustrating the virtues of hacking on the job? No, as it was unethical, possibly illegal, and certainly grounds for termination. No, this is a story about a clash between security models. At the OS/file system level, the consultants were exactly where they should have been: contractors, a little weary, and not entirely trusted. It was a failure at the application level, that is, across HTTP and the Web server, where policy broke down, allowing any one of our friends to become Neo flying about the Matrix. This collapse of the identity model is a common security problem. It's becoming a particular issue with Web services deployed inside an organization's firewall.
The Internal Threat
It's the outside hackers who receive all the attention. The media is intoxicated with the idea of the teenage misfit outwitting the corporate giant, and all of this attention diverts much of a security professional's time and energy toward addressing the threat. But the...
NOTE: All illustrations and photos have been removed from this article.
More articles from
XML Journal
XML for client-side computing, 01-MAR-04
Leveraging XML knowledge to design, develop, and deploy speech applications: packaged apps ease the process, 01-MAR-04
Application integration: addressing the issues: one-stop shopping is not a reality, 01-MAR-04
Looking for additional articles?
Click here to search our database of over 3 million articles.
Looking for more in-depth information on this industry?
Click here to search our complete database of Industry & Market reports by text, subject, publication name or publication date.
About Goliath
Whether you're looking for sales prospects, competitive information, company analysis or best practices in managing your organization, Goliath can help you meet your business needs.
Our extensive business information databases empower business professionals with both the breadth and depth of credible, authoritative information they need to support their business goals. Whether it be strategic planning, sales prospecting, company research or defining management best practices - Goliath is your leading source for accurate information. |
