Hacker News new | ask | show | jobs
by blisterpeanuts 1004 days ago
I’m taking a cybersecurity course right now and this article is timely and informative. I’m a programmer with a lot of Java and database experience, but not really knowledgeable about security practices.

Maybe security certification should be more of a requirement in hiring software engineers; I don’t recall it ever being mentioned in job listings.

Anyway, it got me wondering, how did devs get away with storing database credentials in a file on an NFS share? That’s sheer recklessness. As a regular procedure, an audit should include scanning all files for passwords, for example; run find-grep-dired or similar on every mount, every disk, every cloud instance etc. And, obviously, require regular password changes.

It should be assumed that the entire system is vulnerable, and hardening should be done regularly and rigorously. A company as big as Equifax (or Target) should have a dedicated team whose job it is to constantly probe and audit. Since, after all, the black hats are constantly probing, too.
2 comments
tekla 1004 days ago
> an audit should include scanning all files for passwords

Please continue taking the security course. Scanning all files for passwords is madness. How do you differentiate "thisissupersecret" and "123fqfqlfni34235r4" and "git@somegitrepo.com" as passwords? You can't, they're all valid passwords for a majority of services.

At some point, you need to trust developers to do the right thing, which is impossible.

link
blisterpeanuts 1004 days ago
You're right, but I was thinking of searching for known passwords. For example, if an Oracle db accessed by developers is tekla / tekla1234, then scan for the string "tekla1234". It should not exist in any file. If it exists in a file, then obviously that is a potential leak.
link
JamesSwift 1003 days ago
And where do you intend to store these "bad" passwords in order to scan??
link
ponyboy123 1003 days ago
Don’t be so mean to the guy.

One approach would be to have passwords of a known format, that are rotated frequently, and to verify that you’re not finding any strings matching those patterns save to disk or in log files, etc.

link
hnthrowaway0315 1004 days ago
A lot of companies are like that. In my previous company people sharing username and password through MS team and I'm sure someone stores them in team folders too.
link
blisterpeanuts 1004 days ago
In the early 90s, at a large financial company I worked for, the system user name/password for a Sybase db was sa/sa. It was so convenient. Of course this was the primordial days but still.
link
hnthrowaway0315 1004 days ago
Sybase! Ah, my father has a book about that. Yeah I get back in the days many are ignorant about security.
link