A consulting firm did a security audit on the company I work for. Of course, we had to have a way to manage our new security policies once the audit was done. (That is, we would have to have a way to manage the policies if we had them, which we don’t, but that’s another story.) So, they sold us software that they valued at around $50,000 to do this. A nice little web-based utility, written in Tomcat/Apache with an Oracle backend and running on Solaris.
Now, since I try to be security concious, I reduced the Solaris install to the core OS. In fact, this is one of the things they recommend: reducing the software on a machine to only what is needed.
I mentioned this to the consultant they sent to help with installation and he was shocked.
“Don’t do that!” he said.
“It works, doesn’t it?” I replied.
“I guess, but we don’t test it that way.”
The irony should be obvious.