> If they are putting a server on a naked Internet connection > with an external address, they certainly *should* be aware of > basic security. > Even "normal" home users are aware of the need for firewall > (and av) software. A $40 dsl/cable/etc router contains a > decent enough firewall to protect a MS-SQL server behind it > with no more work than plugging it in and turning it on.
Sure, that's one thing. So Joe Home User goes out and buys a $50 wireless router which blocks external access, but allows internal access to other machines connecting through WiFi. He plugs it into his cable modem and he's all set, until his nextdoor neighbor infects his machine by connecting to it through the open-by-default wireless connection! D'oh! I guess he's just an idiot, because he doesn't know how TCP/IP works. Too bad he installed Visio Enterprise so he could work on flow charts at home. How could anyone be so dumb? I've got news for you. Most people don't know how TCP/IP works. And if they have to know that in order to use a PC, something is radically wrong with PCs. > Seriously, running any externally facing app without basic > security precautions makes you *not* an idiot? The level of > even basic security-awareness should be part of every > developer's toolbox -- at least any one worth hiring. And the > excuse that "I didn't know MSDE was part of the application" > or "I'm not a sysadmin" is a pretty poor one. How hard is the > Microsoft Baseline Security Analyzer to use? How hard is it > to read the docs? Who said anything about developers? Again, there are plenty of applications with vulnerabilities, and these may be run by people other than developers. Oh, and that list of apps that use MSDE is woefully incomplete, by the way. I've worked with several applications that (a) aren't on the list and (b) install MSDE without notifying the user. > The assumption that "I didn't know" is an acceptable excuse > relating to security, whether it's configuration (e.g. > firewall settings) or code (e.g. SQL injection > vunerabilities) is a key reason why people get cracked. And > frankly, I care less about someone with poor security getting > hacked (something along the lines of "getting what you > deserve") than what their zombie server can do to my sites or > one of the sites I count on -- or about the consequences of > the use/misuse of my data they're storing. If I leave my front door open and someone walks in and bops me on the head, did I get what I deserve? Why is this any different? > When a security issue can affect *me*, then I've got a stake > in making sure people do the right thing -- I think security > is black and white (you don't see a "Grey Hat" security > conference...) Maybe there are varying *degrees* of security > idiocy, but all things considered, I'll err on the side of > spending the time/money/effort on security instead of taking > the risk of being a victim of the "security is too hard" > syndrome. Your efforts would be better spent on the developers of insecure applications, if for no other reason than it's a smaller dataset. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197053 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54