July 31, 2015 at 8:20 am
I do understand what you're saying about SSC. I've noticed that within the last couple of weeks I have to enter my username and password each time I go to the SSC. Didn't have to do that in the past. I'm wondering if something has changed?
Kindest Regards, Rod Connect with me on LinkedIn.
July 31, 2015 at 8:26 am
I'd like to see HTTPS required as well.
August 5, 2015 at 9:46 pm
https is on the list. I've asked for it, but that's out of my control.
Nothing has changed as far as requiring passwords in a new way. We still cookie a token, and if you authenticate on the same machine, we recognize it.
August 5, 2015 at 9:50 pm
scoan (7/30/2015)
I can imagine us all using candid comments in our code. If we were to add a comment regarding authentication, and if that comment were to consider the ramifications of an intruder surreptitiously accessing this code at this juncture, would we say something like, "Maybe should re-authenticate, but if someone gets here we're f*d anyway"?Having developed several systems requiring security over the years, mostly sensitive information having to do with salary and demographics for HR, I find that at some level every system finds itself in a vulnerable state. The question is whether that vulnerability is warranted--not unlike a personal situation with a spouse or significant other or trusted friend or professional counselor. The best I can do as a developer is document very clearly what's at stake if someone accesses this code at that level of privilege. This is kind of a cop-out, but I develop systems; I don't run them; I don't provide insurance against social engineering...
I'm not sure where you're going with comments here. Allowing internal systems to access each other without some authentication gives a pathway through your system if someone gets to a machine. It's not about being ultraparanoid, but following good practices and asking for some authentication where you can with good practices. Not setting up internal systems with blank passwords because it's easy.
Certainly we can't prevent everything, nor should we aim to. However we can follow secure coding practices whenever we're implementing something and try to limit the accesses.
March 14, 2016 at 7:09 am
I am against the offering of bonuses internally for defect discovery. I have seen a number of similar offerings gamed. A lot of people end up disincentivised.
I would much prefer the collection of defect statistics and driving education and discipline using it. Preferably education but I am not against someone who refuses to change their "bad" ways being shown the door if they have been given plenty of opportunities to improve.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
Viewing 5 posts - 16 through 19 (of 19 total)
You must be logged in to reply to this topic. Login to reply