Today I ran across a random link on how organized crime is systematically taking advantage of known security holes. This reminded me of RE (tilly) 2: Warning our Fellow Monks, with the moral being that with port scanning once an error is found, there really aren't fish that are too small to be noticed.

Security is hard because it is not obvious. You can fail to be secure and there are no overt symptoms. Your software still works. You don't know of the hole. But it is there, and you can still suffer for it.

However, hard or not, you still need to do it. Choose reasonable passwords. Keep up on patches. Use taint mode. Whenever you are processing arguments, rather than trying to search for every way of breaking in (an approach that always fail) consistently instead validate that the input is a form that you know is trustworthy. If you can, get someone who is knowledgable to review your security setup before someone "volunteers" to do the job for you.

Now that link talks about Windows. And it is true that Windows has an abysmal track record. However the track record for Windows is due to a combination of Microsoft not prioritizing security, and the belief (which Microsoft has promoted) that you don't need competent admins for Microsoft products. However an NT box with a competent admin is going to be orders of magnitude safer than any *nix with an admin who doesn't know what they are doing. (Home users of Linux are at serious risk.)

This is a general problem, and it is one which many here contribute to in one way or another, as admins, techs, programmers...


In reply to Stay aware of security by tilly

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":