Sunday, July 15, 2007

Core Security Patterns

I was reading a book called core Security Patterns from Sun today and in the introduction chapter in this book they state:

"A Gartner Group report [CSO online] estimates that employees of companies are responsible for more than 70% of the unauthorized access to information systems in those companies. It is also employees of companies who perpetrate more than 95% of information systems intrusions that cause significant financial losses."

So when I ask - do you just "trust" your managed data center employees like the managed hosting companies would like you to do? No. Audit everything. If they cannot provide an audit trail to explicitly define who accessed your server on what time and day and what they did - you'll need to keep your password to yourself and manage access to your server and do your own auditing -- don't use that company.

And for all those companies that swear up and down that they are invincible and secure, I say no one is ever 100% secure and constant auditing and monitoring is needed. Case in point, this book says:

"According to an FBI survey [eWeek] of 500 companies, 90 percent say they'd had a computer security breach, and 80 percent of those said they'd suffered a financial loss as a result."

There are more reports an examples in the book as well as a good list of security patterns for those who use a programming language that allows you to, in my opinion, have more control over your environment such as with a Java web server. I say that because you cannot get the IIS source code...

Anyway the book for anyone who wants to read it again is:

Core Security Patterns from Sun by Christopher Steel, Ramesh, Nagappan and Ray Lai

Even if you don't program in Java it seems that some of the information could apply to any web application.

I haven't read the whole book so I cannot say how useful it is yet.