Security and Security Consulting

A consulting firm did a security audit on the company I work for. Of course, we had to have a way to manage our new security policies once the audit was done. (That is, we would have to have a way to manage the policies if we had them, which we don’t, but that’s another story.) So, they sold us software that they valued at around $50,000 to do this. A nice little web-based utility, written in Tomcat/Apache with an Oracle backend and running on Solaris.

Now, since I try to be security concious, I reduced the Solaris install to the core OS. In fact, this is one of the things they recommend: reducing the software on a machine to only what is needed.

I mentioned this to the consultant they sent to help with installation and he was shocked.

“Don’t do that!” he said.

“It works, doesn’t it?” I replied.

“I guess, but we don’t test it that way.”

The irony should be obvious.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.