|
Article Excerpt
True story from the consulting trenches: the operations staff had left hours ago, shaking their heads and reluctantly leaving the consultants to resolve a problem with their code. It was well past midnight, in the middle of winter, in a town many time zones from home. The project was late. Altogether, this was an awkward situation that you probably know well.
**********
The consultants--falling into that murky classification of not quite outsider, nor regular employee--worked from hobbled accounts; the security staff were pros and took their charge seriously. By 2:00 a.m., the group was stuck. They needed to change a properties file residing on a remote server, but the distributed file system wouldn't allow it, rightfully sneering at the group like the grubbiest serfs in the kingdom. But there was a Web server ...
... And this server was running as root. Before you could soy "exploit," our team had all of the rights and privileges of the king of the castle. They tweaked the configuration, muddied the logs, and lo and behold, the software began to run as designed. The client was thrilled the following day; the application movcd into production; everybody got paid.
Is this an allegory illustrating the virtues of hacking on the job? No, as it was unethical, possibly illegal, and certainly grounds for termination. No, this is a story about a clash between security models. At the OS/file system level, the consultants were exactly where they should have been: contractors, a little weary, and not entirely trusted. It was a failure at the application level, that is, across HTTP and the Web server, where policy broke down, allowing any one of our friends to become Neo flying about the Matrix. This collapse of the identity model is a common security problem. It's becoming a particular issue with Web services deployed inside an organization's firewall.
The Internal Threat
It's the outside hackers who receive all the attention. The media is intoxicated with the idea of the teenage misfit outwitting the corporate giant, and all of this attention diverts much...
|
|
More articles from XML Journal
4th annual International Developer Conference & Expo., December 01, 2003
Finding the fit for XSLT: filling a hole in the puzzle.(Standards), December 01, 2003
What's your government doing with XML? With the advent of XML authorin..., December 01, 2003
Designing an open, standards-based reporting system: XML meets the cha..., December 01, 2003
Building a high-traffic Web site with static delivery using XML: dynam..., December 01, 2003
Looking for additional articles?
Search our database of over 3 million articles.
Looking for more in-depth information on this industry?
Search our complete database of Industry & Market reports by text, subject, publication
name or publication date.
About Goliath
Whether you're looking for sales prospects, competitive information, company
analysis or best practices in managing your organization,
Goliath can help you meet your business needs.
Our extensive business information databases empower business
professionals with both the breadth and depth of credible,
authoritative information they need to support their business
goals. Whether it be strategic planning, sales prospecting,
company research or defining management best practices -
Goliath is your leading source for accurate information.
|
|
