|
|
Subscribe / Log in / New account

Security quotes of the week

Security quotes of the week

Posted Oct 11, 2012 15:43 UTC (Thu) by raven667 (subscriber, #5198)
In reply to: Security quotes of the week by nix
Parent article: Security quotes of the week

I've seen that kind of system for PCI compliance where a QSA interpreted the standard to mean that database passwords at rest on the disk couldn't be stored in the clear. We obfuscated them using some library that would read a key from an environment variable that was sourced by the startup script so it would be inherited when the app started.

It was clear and understood by the QSA and management that this only prevented accidental disclosure due to shoulder surfing, printing or copying of config files and would not prevent disclosure to anyone with access to the host. That was fine and understood to be the risk, obfuscating sensitive config values turned out not to be that big a deal in practice.


to post comments

Security quotes of the week

Posted Oct 11, 2012 18:58 UTC (Thu) by nix (subscriber, #2304) [Link]

You got a threat model? You lucky sod. I was never able to get the same threat model out of anyone more than once, and never any explanation as to how their stated (often bizarre) threat models would be defended against by the spec they insisted on. But, hey, they were paying the bills...


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds