9 November 2015
Although the “Ten Tips for Designing, Building, and Deploying More Secure Web Applications” were published on 7 September 2005 the list still up-to-date.
I am discussing in particular tip 2 “Services Should Have Neither System nor Administrator Access” for years with internal developers and software vendors.
We have this under control in the case of in-house developed products, but many software vendors are still not ready to meet minimum security requirements. Very often neither the account name nor the password of service accounts can be changed, and this holds even on newly developed products.
This makes a regular password change for service accounts impossible. And extra effort is required to secure such systems once the account information is compromised.
Hopefully your systems meet the requirements and, the mentioned software versions are no longer in use.
Have a good week.