Corporate Security, Round Two

I do not claim to be a security expert by any stretch of the imagination. The extent of my malicious network behavior ends at clicking 'start' on a nessus scan. And yet despite this, I find that I am constantly astounded at the inability of corporations to learn from each other when it comes to network security.

Sony made security considerations front page news for over a month. Websites were set up to mock their practices, people joked about it on twitter, and media outlets used it as filler material between breaking stories of  celebrity gossip. Somehow despite all of this, many other corporations simply looked at the situation, threw up their hands with a "glad it's not me mentality" and went on about their day. The problem here is IT IS THEM. It's us. We the corporate IT staff have not pushed. CIOs have not listened. CEOs have not demanded. The folks at MySQL are now the latest examples of this.

Their website was up for sale to push out malicious material, due to a lack of proper security practices. Now they reacted and recovered quickly, and kudos to them for it, but it should never have come to this. According to the screen shots shopped around during the sale, The MySQL.com web  servers were running Fedora 11. So, one of the most widely used databases was running their public facing web server that handles roughly half a million visitors a day on an OS designed for enthusiasts not servers, that went end-of-life over a year ago. Let that sink in a moment: No security updates for over a year. Does this sound reasonable for the online presence of arguably the most widely used FOSS database software?

Come on MySQL, lead by example. Good security is not simply the ability to react, it needs to be preventative as well.

0 comments:

Post a Comment

Copyright © Bit Integrity