I’ve been a network/systems admin for a long time now and just when I think I’ve got all of my responsibilities nailed down, I discover a new pile of them hiding in the corner. The latest batch has turned out to be security. Yes that’s a very, very broad scope. I’ve always been responsible for network security, being the primary manager of our firewalls and VPN platforms, but this is quickly branching into areas I’m not comfortable (yet) with.
We’re currently being audited for PCI compliance by our bank. This means that all sorts of things need to be tested and verified and that numerous configurations must be in place from the perimiter to the desktop. Lots of these things aren’t in place, mainly on the desktop side, but I was welcoming this audit as I’ve always felt that we should be better about security and I just didn’t know where to start. Well the PCI stuff is pretty straight forward, but what happened was that during the interviews I discovered that several of our internet-facing systems are allowing the submission of sensitive customer data. It turns out that some of our internal developers don’t have much sense for security and have taken some of our web applications much further than we in the IT department ever anticipated. This was a massive wakeup call. Massive.
So how should IT manage developers? We have a loosely designed management tree that starts with a global IT manager, then regional IT managers (ours covers all of Americas) and then network and applications managers. I’m the network manager, and our applications manager isn’t actually managing most of the applications people. The applications manager should be managing all of the applications people but due to lack of resources and possibly lack of management ability, nobody is watching the sheep.
So what should we do? Hiring security consultants on an ongoing basis is probably more expensive than our budget can handle. Should I take it on? I barely have time to cover my current responsibilities as it is, and everyone on my team is already too swamped as well. The applications manager isn’t going to do anything, that much is certain, and if I go to the regional or even global IT manager, they’re going to put it back on me or my team. What to do…what to do.
One thing that has occurred to me is that some of these developers (and the ones I’m most concerned about as far as security) do not work within our IT organization at all. They are engineers with some programming savvy and enough knowledge about our business to write some pretty useful tools for the business to use. The problem is that because of their lack of formal development education, they may not be following best practices, and quite frankly I’m not sure where to start when it comes to fixing that.
My next step is to contact some security consultants that do application testing and validation, to check for security issues, development best practices, and anything else that might turn up as a problem. If you know of any good/trusted security management solutions, I’d love to hear about them. We’re in desperate need of something, and soon!
Twitter
