Mythics Blog

Lessons from Shakespeare:  Why is OAM Important?

Posted on April 19, 2013 by Marc Boorshtein

Tags: Mythics Consulting, Security, Oracle Software

“Et tu Wordpress!” – paraphrased from Julius Caesar Act III, Scene I

If Shakespeare blogged, I wonder if he would have used Wordpress?  I don't have anything against Wordpress; I've deployed it several times.  It suffers from a common issue that most applications do, security is either poorly implemented or not implemented at all.  Application developers will either skip security all together, or have their own ideas about how things should be secured.  This, when combined with the fact that the platforms they run on are as poorly locked down as the application, often leads to scenarios where your favorite application platform can make you feel like there's a knife coming out of your back and wondering how your greatest friend could have put it there.  It’s not intentional, it’s just inevitable. 

Take Wordpress - an immensely popular platform for blogging but also for web site and application development.  Last week it was discovered that someone is doing a massively distributed brute force attack in an attempt to crack common “admin” passwords (http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br).  This attack has been successful because Wordpress developers have focused on functionality, not security.

So, how does one protect themselves?  A system like Oracle Access Manager will go a LONG way:

  1. Disable default admin accounts and assign rights to user's real accounts;
  2. Externalize authentication, so underlying vulnerabilities will be sealed;
  3. Provide a single “shutdown point” for applications and users; and,
  4. Externalize some authorizations.

This has a benefit other than security - it also provides your developers with a break.  By externalizing security, it allows your developers to focus on the business issue being solved rather then re-inventing the wheel, which leads to lower costs, fewer breaches and CIOs in the Wall Street Journal talking about success instead of apologizing for breaches!

Comments

  • ! No comments yet

Leave a Comment