On 22 Apr 2015, at 22:18, Adam Bower adam@thebowery.co.uk wrote:
On Wed, Apr 22, 2015 at 09:58:19PM +0100, Bobby Moss wrote:
I probably should have mentioned here that some work needs to go into packaging, maintaining & testing components in this way internally. Your link talks of downloading containers & binaries from unknown sources. That's certainly not a good idea!
Unfortunately most software engineers don't understand the full system end to end and what security means. When the build scripts for the software you might want to use do that then you're already screwed. This is really a good example of why you shouldn't let engineering lead on deployment.
Hear hear on your other response btw. In response to the above as a software engineer the information we have to go on is what the designer or client has told us. If neither have spoken to the Ops teams/sysadmin(s) about what's supportable and secure then it can lead to the problems you mentioned. The moral of the story is everyone from end to end has to work together to build good systems.
There's a middle ground but blindly following what people say is a very very bad idea (as is suggesting different operating systems based on how secure they are, they're all insecure until you build some security into your system).
Fair enough.
Adam
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!