|
Absurd Alhazred posted:I mean, it's generally good practice to have at least one other person look over your code before you push it through, right? Isn't this what cicd pipelines and no self approval is for? You can even do things like run code review through security scanning tools before pushing to prod edit: added quote for page snipe Mustache Ride fucked around with this message at 22:02 on Sep 10, 2021 |
# ? Sep 10, 2021 21:59 |
|
|
# ? May 26, 2024 03:03 |
|
Inept posted:that's still a good practice in general It’s fine to have the change author push the button to deploy if it got review from someone else along the way.
|
# ? Sep 10, 2021 23:19 |
|
https://twitter.com/jq0904/status/1436155700212744211
|
# ? Sep 10, 2021 23:28 |
|
see thread title
|
# ? Sep 10, 2021 23:34 |
|
does anyone else hate twitter gifs because they are so terrible at seeing details?
|
# ? Sep 10, 2021 23:36 |
|
drat I wish I could read
|
# ? Sep 10, 2021 23:55 |
|
wargames posted:does anyone else hate twitter gifs because they are so terrible at seeing details? drat shame you can't zoom in with, say, ctrl-scroll wheel but yes, I hate that I can't just click a button to fullscreen it or something
|
# ? Sep 11, 2021 01:28 |
|
I hate twitter gifs, twitter, and also myself.
|
# ? Sep 11, 2021 02:07 |
|
Why do they keep shipping software which just loads poo poo from any URL that the document embeds, why is it not disabled by default if you have to leave it in
|
# ? Sep 11, 2021 02:19 |
|
wargames posted:does anyone else hate twitter gifs because they are so terrible at seeing details? All you have to do is recognize calc.exe’s window.
|
# ? Sep 11, 2021 02:27 |
|
Subjunctive posted:It’s fine to have the change author push the button to deploy if it got review from someone else along the way. This is what I'm referring to. 100% someone else should review / approve code / configuration / data before its pushed. The problem I've seen is when organizations insist on having someone with no knowledge at all manage the deployment because "separation of duties". Their poor understanding of the intent of that law--basically, you can't complete a financial transaction by yourself, and you can't determine your own pay--leads them to dramatically increase the risk of a financial mistake.
|
# ? Sep 11, 2021 13:01 |
Do comment, style, typo fixes and other changes of that nature require review?
|
|
# ? Sep 11, 2021 14:46 |
|
Yeah someone needs to review the change to make sure that's all it is.
|
# ? Sep 11, 2021 14:48 |
|
BlankSystemDaemon posted:Do comment, style, typo fixes and other changes of that nature require review? Here is the absolute rule: did something change? Then it needs to be reviewed by someone else, even if its just for sanity checking
|
# ? Sep 11, 2021 16:42 |
|
BlankSystemDaemon posted:Do comment, style, typo fixes and other changes of that nature require review? Risk based approach: is the text/style part of the application separate from the important bits? Sure, you can probably do changes without supervision. Is it the same rights you need to reroute cash flow to your Swiss bank account? Yeah, do a review. Is the application managing payroll or internal news? That makes a difference as well. As alluded to earlier, absolute rules are poo poo, you need to figure out what is relevant case by case.
|
# ? Sep 11, 2021 19:24 |
|
BonHair posted:Risk based approach: is the text/style part of the application separate from the important bits? Sure, you can probably do changes without supervision. Is it the same rights you need to reroute cash flow to your Swiss bank account? Yeah, do a review. Is the application managing payroll or internal news? That makes a difference as well. This. Otherwise you end up with auditors who question someone editing a file on a SharePoint site because it's "in production".
|
# ? Sep 11, 2021 20:45 |
|
CommieGIR posted:I know we're rolling out Crowdstrike to all our containers, so yeah. Ironically, we had a finding for "No Anti-Malware on your Mainframe" Ynglaur posted:This is what I'm referring to. 100% someone else should review / approve code / configuration / data before its pushed. The problem I've seen is when organizations insist on having someone with no knowledge at all manage the deployment because "separation of duties". Their poor understanding of the intent of that law--basically, you can't complete a financial transaction by yourself, and you can't determine your own pay--leads them to dramatically increase the risk of a financial mistake. evil_bunnY fucked around with this message at 21:23 on Sep 11, 2021 |
# ? Sep 11, 2021 21:21 |
|
evil_bunnY posted:Why is poo poo like this not an immediate "come to my office and let's have a chat about not wasting our loving time" Yeah I had to explain, very slowly, how mainframes do not have anti-malware. Not yet, because nobody really targets mainframes. And I wasn't going to waste my time on a finding for something that doesn't exist.
|
# ? Sep 11, 2021 21:27 |
|
CommieGIR posted:Yeah I had to explain, very slowly, how mainframes do not have anti-malware. Not yet, because nobody really targets mainframes. And I wasn't going to waste my time on a finding for something that doesn't exist. I know this, but I don't get it. Most mainframes I've heard of do really loving serious financial stuff. Like, one (actually more than one because redundancy) handled all money transactions of the Danish state, as just part of the scope. And I think most banks have mainframes doing stuff like that. It seems like the biggest and bestest target for APT type attacks, especially since they will be internet facing to communicate with each other (I'm guessing here for the record). My understanding is that something about the framework makes malware almost impossible, but that seems unlikely in actual reality.
|
# ? Sep 11, 2021 21:55 |
|
It's not that it's impossible, it's that no one has test hardware, mainframes are usually buried deep in anyone's network, and there's like 4 all fucks in all of continental europe who can competently write for the drat things.
|
# ? Sep 11, 2021 22:09 |
|
If there are APT's that have taken the considerable effort to craft custom mainframe malware, do you really think some generic antivirus is going to catch it?
|
# ? Sep 11, 2021 22:18 |
|
Anti virus can't even catch basic red team malware on windows computers let alone some esoteric machine.
|
# ? Sep 11, 2021 22:24 |
|
FungiCap posted:Anti virus can't even catch basic red team malware on windows computers let alone some esoteric machine. Its this. If someone is writing malware for mainframes, nobody will have seen it before and no anti-malware is gonna catch it. BonHair posted:I know this, but I don't get it. Most mainframes I've heard of do really loving serious financial stuff. Like, one (actually more than one because redundancy) handled all money transactions of the Danish state, as just part of the scope. And I think most banks have mainframes doing stuff like that. It seems like the biggest and bestest target for APT type attacks, especially since they will be internet facing to communicate with each other (I'm guessing here for the record). Yeah, Mainframes have a lot of very valuable data, but its getting to them and exploiting them. Exploitng mainframes is relatively new and unexplored field, in fact you are more likely to exploit a mainframe through a Linux container on a mainframe than the z/OS itself. If there is any mainframe malware active today, its relatively rare and unknown to the point that an anti-malware would likely miss it, and even then nobody is really writing for z/OS itself. Ian Coldwater and Chad Rikansrud did a good presentation this year of mainframe container escapes: https://www.youtube.com/watch?v=7DXF7YDBf-g&t=2s CommieGIR fucked around with this message at 22:39 on Sep 11, 2021 |
# ? Sep 11, 2021 22:34 |
|
I seem to remember some mainframe dude talking about how the reason mainframes were safe from that kind of stuff was that zOS is just too stupid and simple. it does what little it does, and lacks the capability to do much exploitable it would be like trying to exploit an old school (non-scientific/graphing etc) calculator. there just isn't much there to exploit without actually being able to rewrite it at a low level
|
# ? Sep 11, 2021 23:07 |
CommieGIR posted:Its this. If someone is writing malware for mainframes, nobody will have seen it before and no anti-malware is gonna catch it. https://www.youtube.com/watch?v=opBLBYAR8tU https://www.youtube.com/watch?v=KXlmru_B-Uk https://www.youtube.com/watch?v=Xfl4spvM5DI
|
|
# ? Sep 11, 2021 23:20 |
|
BlankSystemDaemon posted:If anyone watching this video has a thirst for more, here's some: These are all really good, yeah there's been a lot of discussion about Mainframe exploitation this year, I blame the COVID lockdown.
|
# ? Sep 11, 2021 23:27 |
CommieGIR posted:These are all really good, yeah there's been a lot of discussion about Mainframe exploitation this year, I blame the COVID lockdown.
|
|
# ? Sep 11, 2021 23:36 |
|
I think that was just a general observation with a comma splice, not a statement about the motivation for those specific talks.
|
# ? Sep 11, 2021 23:36 |
|
BlankSystemDaemon posted:Uhm, all three of those are pre-COVID. I meant increasing interest, yeah those are all pre-COVID my bad.
|
# ? Sep 11, 2021 23:44 |
CommieGIR posted:I meant increasing interest, yeah those are all pre-COVID my bad.
|
|
# ? Sep 11, 2021 23:50 |
|
BonHair posted:Risk based approach: is the text/style part of the application separate from the important bits? Sure, you can probably do changes without supervision. Is it the same rights you need to reroute cash flow to your Swiss bank account? Yeah, do a review. Is the application managing payroll or internal news? That makes a difference as well. While I agree in principle because change management where I work is loving tedious nonsense (and it takes hours out of my day to make trivial changes), the flip side of this is that I have to gate-keep what gets done to production systems because policy enforcement now depends on who you ask.
|
# ? Sep 12, 2021 03:31 |
|
azurite posted:While I agree in principle because change management where I work is loving tedious nonsense (and it takes hours out of my day to make trivial changes), the flip side of this is that I have to gate-keep what gets done to production systems because policy enforcement now depends on who you ask. this. you are gonna have to either deal with a CAB or a grumpy sysadmin either way, why not choose the route of inflicting the least amount of grumpiness?
|
# ? Sep 12, 2021 05:58 |
|
I got into mainframes because of SoF (who I’m pretty sure posts here) and it’s kind of a crazy world. It’s one of those topics that I’d have to dedicate way too much time to actually get seriously competent at, and just can’t dedicate that much time and still have sanity. Which is a shame because it’s super interesting to me. I’m in like the one field where it’s arguably still relevant to boot.
|
# ? Sep 12, 2021 13:26 |
|
yeah same, i took one of his mainframe exploitation workshop class things. but as far as i know it's not like i can spin up a mainframe emulator to dick around with
|
# ? Sep 12, 2021 20:19 |
|
Achmed Jones posted:yeah same, i took one of his mainframe exploitation workshop class things. but as far as i know it's not like i can spin up a mainframe emulator to dick around with Yeah you can, it's called Hercules.
|
# ? Sep 12, 2021 20:25 |
|
There's hercules and a copy of z/os floating around
|
# ? Sep 12, 2021 20:26 |
|
IBM also has a cloud based Mainframe you can do stuff in.
|
# ? Sep 12, 2021 21:31 |
|
And it's kind of important to realize that OS/390 and z/OS have had UNIX System Services as a feature going back to like, 1998 I think. So I imagine there's definitely a bigger attack surface than just what you can run "native" on z/OS. I really wish I could speak more competently to this
|
# ? Sep 12, 2021 23:01 |
|
WebSphere lol
|
# ? Sep 12, 2021 23:12 |
|
|
# ? May 26, 2024 03:03 |
|
Inept posted:WebSphere lol mods? please ban this sick filth
|
# ? Sep 12, 2021 23:43 |