Archive

Archive for the ‘Security’ Category

Feeling your users pain (and release notes for Secret Server 1.1)

March 27, 2006 2 comments

It is awonderful feeling to ship software –
it has been a long hard slog to get this round of features complete.
Especially while juggling our developers across various projects and client
work. This is also a welcome release as we get to use all the new features
in our own company Secret Server instance.

It is also a relief to finally get rid of those few
really annoying bugs that I deal with everyday. The process of dogfooding
your own application really makes you feel the users pain – there was a funny
(although silly) movie at PDC last year of Microsoft installing pain delivery
mechanisms for their developers – then every time a user got an error – the user
would feel the “pain”). Even though the movie was silly, it did get the
point across. Often it is difficult to feel that pain since the
application is in a business domain that just isn’t relevant to you (I remember
building a very specific and technical sewer management system for an English
county years ago and I didn’t even live in that county nor install
sewers!).

How do organizations deal with dogfooding when the
business domain is not relevant to the developers? A strict quality
assurance process that allows testers to inflict the “pain” on the
developers?

Enough rambling, here is the laundry list of all
the things taking up our time over the last few months …

(If you don’t have Secret Server yet, get it
here)

Release Notes for
1.1

* Support Microsoft Access as a file-based
database option

* Add import capability for CSV
files (wizard)
* Email notification of secret changes
*
Add support for Windows Authentication when using Microsoft SQL Server
*
Streamline the secret sharing process to reduce the number of
clicks
* Copy to Clipboard must be supported in FireFox (develop new
FireFox plugin
)
* Add Installation notes to installer
* Implement
masking password fields on secret add and secret edit based on user preference

* Generate password feature
* Change Installer to be more of a wizard
than a checklist
* Current user should not get notification of secret update

* Ensure that all Secret Server binaries are obfuscated for improved
application security
* Installer always reports access denied on write access
screen
* Installer: Allow the user to add a first user if there are no users
and no secrets in the system.
* Session timeout causes error during upgrade

* SmtpMessageTransport needs to be added.
* GetSecretViewUrl needs a
proper url location
* Add Email Address to user maintenance screens
*
Add a new column to the SecretAudit screen to show notes
* Add two new
options to Tools screen
* Mailto links should also send the SS version
*
Add current secret name to secret screens – sharing, history, etc
*
Configuration should be added to the toolbar
* Add password strength to
ChangePassword screen
* User Edit should not allow you to make edit that
would cause system to become dead
* Solve SecretView error on .NET Framework
2.0
* Usernames must be unique

Secret Server 1.1 is out … go and get it!

March 27, 2006 1 comment

I haven’t blogged in a few weeks but I have a few good reasons. Client projects with tight deadlines, the final push for our second big release of Thycotic Secret Server and also holding back on the irresistable urge to talk about features that aren’t released yet (not much of a marketing person, huh?). We have listened to feedback and added several features as requested by users. One of the biggest new features – new support for Microsoft Access -which means that you DO NOT have to use Microsoft SQL Server to use Thycotic Secret Server anymore! We also have a new built-in import tool that accepts CSV format so you can easily import your AnyPassword or Keepass secrets to try it out with no risk.

Watch this space for more snippets of new features, some details on the future roadmap and much more Secret Server yumminess.

POP QUIZ:

Where does your development team keep its passwords?

  • Password-protected Microsoft Excel file
  • Amagical piece of paper onsomeone’sdesk
  • Post it notes
  • On the whiteboard
  • What passwords?

What are you waiting for???? GO GET IT!
** http://thesecretserver.com ** Secret Server 1.1

Jonathan Cogley isthe CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC. thycotic has just released Thycotic Secret Server which is a secure web-based solution to both “Where is my Hotmail password?” and “Who has the password for our domain name?”. Secret Server isthe leader in secret management and sharing within companies and teams.

Keep the numbers meaningful in Security Reviews

December 13, 2005 1 comment

I just came across this
post
(older) by Robert
Hurlbut
titled “DREAD is dead” and it reminded me of our experiences with
these same ratings today. We are in the middle of a Security Review for a
client and have been working through our threat model to assess the risk
associated with each item. DREAD is a technique for assessing such risk
using the factors:
Damage potential, Reproducibility,
Exploitability, Affected users and
Discoverability. As Robert mentions, the idea is to rate
the threat on each of these factors using a scale from 1 to 10. Then add
up all the numbers for each threat (average it if you wish) and youcan
list the threats in DREAD priority.

The obvious problem … what is the real difference
between a 7or a 8? That is a tough call especially when you have 50
or more threats to evaluate (consistency in your evaluation gets challenging
across that many items!). We decided to settle on a simple system of low
(1), medium (2)or high (3). We also simplified our analysis to just
include the traditional Criticality/Severity and Likelihood of Occurrence –
interestingly this is very similar to the Microsoft Solutions Framework (MSF)
approach to categorizing and managing risk on a software development
project.

Why all this effort to rate the risk? Most
projects (yes, even Security Reviews!) have limited budget.
Thismakes it important to use your resources on the most risky areas of
your system. This becomes even more necessary when you have to trade off
against items you will never have time to investigate.

Our risk analysis yielded a nicelist of
threats in the 4-6 point category which we can now investigate starting with the
most risky threats.

(Ps. The authors in Writing Secure
Code
, 2nd Edition, mention always giving a 10 for Discoverability as things
will always be discovered at some point … this again shows how DREAD is too
detailed and is not ameaningful measurement)

Jonathan Cogley isthe CEO and founder of
thycotic, a .NET consulting company and ISV in Washington DC. thycotic has
just released
Thycotic Secret Server which is a secure web-based solution to both “Where is my Hotmail
password?” and “Who has the password for our domain name?”. Secret Server
isthe leader in secret management and sharing within companies and
teams.