Loading ...
Sorry, an error occurred while loading the content.

Re: [webanalytics] Security aspect of SDC

Expand Messages
  • Steve
    ... By definition it can t pose a threat, but can expose a weakness or vulnerability that could be exploited by a threat. /pedantic. ... *known* would be the
    Message 1 of 14 , Nov 30, 2007
    • 0 Attachment
      On Dec 1, 2007 12:52 AM, Seby Kallarakkal <seby@...> wrote:
      > One of our customers is using WebTrends enteprise version and they are
      > moving from normal web server log files to SDC. This customer is extremely
      > sensitive to any software that is installed in their data center. Since SDC
      > server is required to be on the public network, their security team wants to
      > know
      >
      > a. Since SDC uses ISAPI filter on IIS, does it pose any vulnerability /
      > threat?

      By definition it can't pose a threat, but can expose a weakness or
      vulnerability that could be exploited by a threat.
      /pedantic.


      > b. If there has been any instance of SDC installation being exploited
      > in the past?

      *known* would be the key word.


      > We tried searching on the Internet, but found only old articles on
      > securityfocus.com. Perhaps there is nothing online because there are no
      > issues whatsoever in terms of security. But would be good to know. Thanks

      No. What that means is that there have been none exposed, or publicly
      announced. It does not mean they don't or haven't existed.
      It doesn't mean they have been exposed or exist either. This silence
      cuts both ways.


      But I am highly curious as to why you're being asked to provide this
      information to the customer to their Security team?
      With all due respect to your customer, this information gathering
      exercise is one of the key tasks of their security team. THEY are the
      ones that should have hooks into CERT, AUSCERT and so on. THEY are the
      ones who trawl bugtraq.

      They're the experts in this area, why are they abrogating one of their
      primary duties?

      After all, you're trying to sell a service to them. How can they
      possibly know that you're not lying through your teeth to (a) sell
      something and (b) use the weakness info to onsell elsewhere and make
      an even bigger profit!

      No offence meant or implied! :-)


      Putting on my highly_opinionated_hat, this sounds like a team that
      issues edicts from on high and that has no clue what they are really
      there for. Namely: to help the business manage a particular style of
      risk in the most cost effective way possible. Anything else is window
      dressing to that core task.

      How you politely tell them to their job themselves? Politics. Oh joy....


      HTH?
      Cheers!
      - Steve
    • Seby Kallarakkal
      Hi Steve, Thanks for the reply. Don t worry, no offense taken :). Actually there are answers to your question. But it might mean offending people and would not
      Message 2 of 14 , Dec 1, 2007
      • 0 Attachment
        Hi Steve,

        Thanks for the reply.

        Don't worry, no offense taken :). Actually there are answers to your question. But it might mean offending people and would not get us to the solution :)

        Thanks for your thoughts.


        Regards,

        Seby Kallarakkal

        Sent from BlackBerry® on Airtel

        -----Original Message-----
        From: Steve <nuilvows@...>

        Date: Sat, 1 Dec 2007 16:22:00
        To:webanalytics@yahoogroups.com
        Subject: Re: [webanalytics] Security aspect of SDC


        On Dec 1, 2007 12:52 AM, Seby Kallarakkal <seby@nabler. <mailto:seby%40nabler.com> com> wrote:
        > One of our customers is using WebTrends enteprise version and they are
        > moving from normal web server log files to SDC. This customer is extremely
        > sensitive to any software that is installed in their data center. Since SDC
        > server is required to be on the public network, their security team wants to
        > know
        >
        > a. Since SDC uses ISAPI filter on IIS, does it pose any vulnerability /
        > threat?

        By definition it can't pose a threat, but can expose a weakness or
        vulnerability that could be exploited by a threat.
        /pedantic.

        > b. If there has been any instance of SDC installation being exploited
        > in the past?

        *known* would be the key word.

        > We tried searching on the Internet, but found only old articles on
        > securityfocus.com. Perhaps there is nothing online because there are no
        > issues whatsoever in terms of security. But would be good to know. Thanks

        No. What that means is that there have been none exposed, or publicly
        announced. It does not mean they don't or haven't existed.
        It doesn't mean they have been exposed or exist either. This silence
        cuts both ways.

        But I am highly curious as to why you're being asked to provide this
        information to the customer to their Security team?
        With all due respect to your customer, this information gathering
        exercise is one of the key tasks of their security team. THEY are the
        ones that should have hooks into CERT, AUSCERT and so on. THEY are the
        ones who trawl bugtraq.

        They're the experts in this area, why are they abrogating one of their
        primary duties?

        After all, you're trying to sell a service to them. How can they
        possibly know that you're not lying through your teeth to (a) sell
        something and (b) use the weakness info to onsell elsewhere and make
        an even bigger profit!

        No offence meant or implied! :-)

        Putting on my highly_opinionated_hat, this sounds like a team that
        issues edicts from on high and that has no clue what they are really
        there for. Namely: to help the business manage a particular style of
        risk in the most cost effective way possible. Anything else is window
        dressing to that core task.

        How you politely tell them to their job themselves? Politics. Oh joy....

        HTH?
        Cheers!
        - Steve
      • Sergio Maldonado
        Hi Seby, I have gone through the same experience so many times (and in so many different places!), it comes as no surprise! System Administrators on the client
        Message 3 of 14 , Dec 4, 2007
        • 0 Attachment
          Hi Seby,

          I have gone through the same experience so many times (and in so many
          different places!), it comes as no surprise!

          System Administrators on the client side are paid to be they way they are:
          Extremely suspicious of anything you plan to plant on their servers. They
          just can't help. No matter where you are, you will be cross-examined on the
          same points.

          Then, of course, as Steve rightly says, they end up being so much better
          informed than any of us in the WA world! :)

          So, the only way you can help them now is by putting together your
          experience with ours and saying: Neither I nor those guys at the forum
          (confirmed, this end) have ever experienced a security breach that is
          associated to the SDC installation. Of course, we always deal with competent
          people on the IIS or Apache side :)

          Good luck!


          Sergio Maldonado
          Spanish Web Analytics Association
          www.aeaw.es







          On Nov 30, 2007 2:52 PM, Seby Kallarakkal <seby@...> wrote:

          > Hi,
          >
          > One of our customers is using WebTrends enteprise version and they are
          > moving from normal web server log files to SDC. This customer is extremely
          > sensitive to any software that is installed in their data center. Since
          > SDC
          > server is required to be on the public network, their security team wants
          > to
          > know
          >
          > a. Since SDC uses ISAPI filter on IIS, does it pose any vulnerability /
          > threat?
          > b. If there has been any instance of SDC installation being exploited
          > in the past?
          >
          > We tried searching on the Internet, but found only old articles on
          > securityfocus.com. Perhaps there is nothing online because there are no
          > issues whatsoever in terms of security. But would be good to know. Thanks
          > for any input that you might have.
          >
          > Regards,
          >
          > Seby Kallarakkal
          >
          > seby@... <seby%40nabler.com>
          >
          > +91-80-25423566 Ext.207
          >
          > www.nabler.com
          >
          > [Non-text portions of this message have been removed]
          >
          >
          >


          [Non-text portions of this message have been removed]
        • Lothaire Ruellan
          Webtrends also proposes an hybrid solution in which they would host the SDC, collect the data, and deliver a daily log via FTP. On your side, you would only
          Message 4 of 14 , Dec 7, 2007
          • 0 Attachment
            Webtrends also proposes an hybrid solution in which they would host
            the SDC, collect the data, and deliver a daily log via FTP. On your
            side, you would only have the Webtrends software and process the log
            on a daily basis. This way, you would have the flexibility that comes
            with the Webtrends software, without the hassle of hosting the SDC.
            Maybe that would alleviate your team's concerns.

            Lothaire


            --- In webanalytics@yahoogroups.com, "Sergio Maldonado"
            <sergio.maldonado.elvira@...> wrote:
            >
            > Hi Seby,
            >
            > I have gone through the same experience so many times (and in so many
            > different places!), it comes as no surprise!
            >
            > System Administrators on the client side are paid to be they way
            they are:
            > Extremely suspicious of anything you plan to plant on their servers.
            They
            > just can't help. No matter where you are, you will be cross-examined
            on the
            > same points.
            >
            > Then, of course, as Steve rightly says, they end up being so much better
            > informed than any of us in the WA world! :)
            >
            > So, the only way you can help them now is by putting together your
            > experience with ours and saying: Neither I nor those guys at the forum
            > (confirmed, this end) have ever experienced a security breach that is
            > associated to the SDC installation. Of course, we always deal with
            competent
            > people on the IIS or Apache side :)
            >
            > Good luck!
            >
            >
            > Sergio Maldonado
            > Spanish Web Analytics Association
            > www.aeaw.es
            >
            >
            >
            >
            >
            >
            >
            > On Nov 30, 2007 2:52 PM, Seby Kallarakkal <seby@...> wrote:
            >
            > > Hi,
            > >
            > > One of our customers is using WebTrends enteprise version and they are
            > > moving from normal web server log files to SDC. This customer is
            extremely
            > > sensitive to any software that is installed in their data center.
            Since
            > > SDC
            > > server is required to be on the public network, their security
            team wants
            > > to
            > > know
            > >
            > > a. Since SDC uses ISAPI filter on IIS, does it pose any
            vulnerability /
            > > threat?
            > > b. If there has been any instance of SDC installation being exploited
            > > in the past?
            > >
            > > We tried searching on the Internet, but found only old articles on
            > > securityfocus.com. Perhaps there is nothing online because there
            are no
            > > issues whatsoever in terms of security. But would be good to know.
            Thanks
            > > for any input that you might have.
            > >
            > > Regards,
            > >
            > > Seby Kallarakkal
            > >
            > > seby@... <seby%40nabler.com>
            > >
            > > +91-80-25423566 Ext.207
            > >
            > > www.nabler.com
            > >
            > > [Non-text portions of this message have been removed]
            > >
            > >
            > >
            >
            >
            > [Non-text portions of this message have been removed]
            >
          • Seby Kallarakkal
            Hi Sergio, Thanks for sharing your thoughts and my apologies for the delay. You are so right about sys administrators. I ve taken the feedback from this forum
            Message 5 of 14 , Dec 14, 2007
            • 0 Attachment
              Hi Sergio,



              Thanks for sharing your thoughts and my apologies for the delay. You are so
              right about sys administrators.



              I've taken the feedback from this forum to the customers and they are of
              course, convinced. The trouble is with the systems team.



              The customer is almost ready to go live now. We have given them alternatives
              on what happens if the SDC server is not online :-)



              Regards,



              Seby Kallarakkal

              seby@...

              +91-80-25423566 Ext.207

              www.nabler.com

              _____

              From: webanalytics@yahoogroups.com [mailto:webanalytics@yahoogroups.com] On
              Behalf Of Sergio Maldonado
              Sent: Tuesday, December 04, 2007 1:51 PM
              To: webanalytics@yahoogroups.com
              Subject: Re: [webanalytics] Security aspect of SDC



              Hi Seby,

              I have gone through the same experience so many times (and in so many
              different places!), it comes as no surprise!

              System Administrators on the client side are paid to be they way they are:
              Extremely suspicious of anything you plan to plant on their servers. They
              just can't help. No matter where you are, you will be cross-examined on the
              same points.

              Then, of course, as Steve rightly says, they end up being so much better
              informed than any of us in the WA world! :)

              So, the only way you can help them now is by putting together your
              experience with ours and saying: Neither I nor those guys at the forum
              (confirmed, this end) have ever experienced a security breach that is
              associated to the SDC installation. Of course, we always deal with competent
              people on the IIS or Apache side :)

              Good luck!

              Sergio Maldonado
              Spanish Web Analytics Association
              www.aeaw.es

              On Nov 30, 2007 2:52 PM, Seby Kallarakkal <seby@nabler.
              <mailto:seby%40nabler.com> com> wrote:

              > Hi,
              >
              > One of our customers is using WebTrends enteprise version and they are
              > moving from normal web server log files to SDC. This customer is extremely
              > sensitive to any software that is installed in their data center. Since
              > SDC
              > server is required to be on the public network, their security team wants
              > to
              > know
              >
              > a. Since SDC uses ISAPI filter on IIS, does it pose any vulnerability /
              > threat?
              > b. If there has been any instance of SDC installation being exploited
              > in the past?
              >
              > We tried searching on the Internet, but found only old articles on
              > securityfocus.com. Perhaps there is nothing online because there are no
              > issues whatsoever in terms of security. But would be good to know. Thanks
              > for any input that you might have.
              >
              > Regards,
              >
              > Seby Kallarakkal
              >
              > seby@nabler. <mailto:seby%40nabler.com> com <seby%40nabler.com>
              >
              > +91-80-25423566 Ext.207
              >
              > www.nabler.com
              >
              > [Non-text portions of this message have been removed]
              >
              >
              >

              [Non-text portions of this message have been removed]





              [Non-text portions of this message have been removed]
            • Seby Kallarakkal
              Hi Lothaire, Thanks for the information. I m sorry for the delay in replying. Unfortunately, this customer has a corporate policy of not allowing their data to
              Message 6 of 14 , Dec 14, 2007
              • 0 Attachment
                Hi Lothaire,



                Thanks for the information. I'm sorry for the delay in replying.



                Unfortunately, this customer has a corporate policy of not allowing their
                data to go outside their network. So hosting SDC with WT is not going to be
                an option. But like I said in my earlier email to Sergio, the customer is
                almost done with all kinds of audit and in all probability might go live in
                the next few days.



                As we move from using web server log files to SDC log files, I'm curious to
                see what happens to the data. Traffic should go up because it's a
                page-tagged solution. But then machine traffic would not be counted (which
                is a good thing) and the traffic would go down. So I'm really, really
                curious to see what happens!



                Regards,



                Seby Kallarakkal

                seby@...

                +91-80-25423566 Ext.207

                www.nabler.com

                _____

                From: webanalytics@yahoogroups.com [mailto:webanalytics@yahoogroups.com] On
                Behalf Of Lothaire Ruellan
                Sent: Friday, December 07, 2007 10:59 PM
                To: webanalytics@yahoogroups.com
                Subject: [webanalytics] Re: Security aspect of SDC



                Webtrends also proposes an hybrid solution in which they would host
                the SDC, collect the data, and deliver a daily log via FTP. On your
                side, you would only have the Webtrends software and process the log
                on a daily basis. This way, you would have the flexibility that comes
                with the Webtrends software, without the hassle of hosting the SDC.
                Maybe that would alleviate your team's concerns.

                Lothaire

                --- In webanalytics@ <mailto:webanalytics%40yahoogroups.com>
                yahoogroups.com, "Sergio Maldonado"
                <sergio.maldonado.elvira@...> wrote:
                >
                > Hi Seby,
                >
                > I have gone through the same experience so many times (and in so many
                > different places!), it comes as no surprise!
                >
                > System Administrators on the client side are paid to be they way
                they are:
                > Extremely suspicious of anything you plan to plant on their servers.
                They
                > just can't help. No matter where you are, you will be cross-examined
                on the
                > same points.
                >
                > Then, of course, as Steve rightly says, they end up being so much better
                > informed than any of us in the WA world! :)
                >
                > So, the only way you can help them now is by putting together your
                > experience with ours and saying: Neither I nor those guys at the forum
                > (confirmed, this end) have ever experienced a security breach that is
                > associated to the SDC installation. Of course, we always deal with
                competent
                > people on the IIS or Apache side :)
                >
                > Good luck!
                >
                >
                > Sergio Maldonado
                > Spanish Web Analytics Association
                > www.aeaw.es
                >
                >
                >
                >
                >
                >
                >
                > On Nov 30, 2007 2:52 PM, Seby Kallarakkal <seby@...> wrote:
                >
                > > Hi,
                > >
                > > One of our customers is using WebTrends enteprise version and they are
                > > moving from normal web server log files to SDC. This customer is
                extremely
                > > sensitive to any software that is installed in their data center.
                Since
                > > SDC
                > > server is required to be on the public network, their security
                team wants
                > > to
                > > know
                > >
                > > a. Since SDC uses ISAPI filter on IIS, does it pose any
                vulnerability /
                > > threat?
                > > b. If there has been any instance of SDC installation being exploited
                > > in the past?
                > >
                > > We tried searching on the Internet, but found only old articles on
                > > securityfocus.com. Perhaps there is nothing online because there
                are no
                > > issues whatsoever in terms of security. But would be good to know.
                Thanks
                > > for any input that you might have.
                > >
                > > Regards,
                > >
                > > Seby Kallarakkal
                > >
                > > seby@... <seby%40nabler.com>
                > >
                > > +91-80-25423566 Ext.207
                > >
                > > www.nabler.com
                > >
                > > [Non-text portions of this message have been removed]
                > >
                > >
                > >
                >
                >
                > [Non-text portions of this message have been removed]
                >





                [Non-text portions of this message have been removed]
              • Sergio Maldonado
                Happy to hear that, Seby! Good luck with that last milestone... ... [Non-text portions of this message have been removed]
                Message 7 of 14 , Dec 17, 2007
                • 0 Attachment
                  Happy to hear that, Seby!

                  Good luck with that last milestone...

                  On Dec 14, 2007 7:55 PM, Seby Kallarakkal <seby@...> wrote:

                  > Hi Sergio,
                  >
                  > Thanks for sharing your thoughts and my apologies for the delay. You are
                  > so
                  > right about sys administrators.
                  >
                  > I've taken the feedback from this forum to the customers and they are of
                  > course, convinced. The trouble is with the systems team.
                  >
                  > The customer is almost ready to go live now. We have given them
                  > alternatives
                  > on what happens if the SDC server is not online :-)
                  >
                  >
                  > Regards,
                  >
                  > Seby Kallarakkal
                  >
                  > seby@... <seby%40nabler.com>
                  >
                  > +91-80-25423566 Ext.207
                  >
                  > www.nabler.com
                  >
                  > _____
                  >
                  > From: webanalytics@yahoogroups.com <webanalytics%40yahoogroups.com>[mailto:
                  > webanalytics@yahoogroups.com <webanalytics%40yahoogroups.com>] On
                  > Behalf Of Sergio Maldonado
                  > Sent: Tuesday, December 04, 2007 1:51 PM
                  > To: webanalytics@yahoogroups.com <webanalytics%40yahoogroups.com>
                  > Subject: Re: [webanalytics] Security aspect of SDC
                  >
                  > Hi Seby,
                  >
                  > I have gone through the same experience so many times (and in so many
                  > different places!), it comes as no surprise!
                  >
                  > System Administrators on the client side are paid to be they way they are:
                  > Extremely suspicious of anything you plan to plant on their servers. They
                  > just can't help. No matter where you are, you will be cross-examined on
                  > the
                  > same points.
                  >
                  > Then, of course, as Steve rightly says, they end up being so much better
                  > informed than any of us in the WA world! :)
                  >
                  > So, the only way you can help them now is by putting together your
                  > experience with ours and saying: Neither I nor those guys at the forum
                  > (confirmed, this end) have ever experienced a security breach that is
                  > associated to the SDC installation. Of course, we always deal with
                  > competent
                  > people on the IIS or Apache side :)
                  >
                  > Good luck!
                  >
                  > Sergio Maldonado
                  > Spanish Web Analytics Association
                  > www.aeaw.es
                  >
                  > On Nov 30, 2007 2:52 PM, Seby Kallarakkal <seby@nabler.
                  > <mailto:seby%40nabler.com> com> wrote:
                  >
                  > > Hi,
                  > >
                  > > One of our customers is using WebTrends enteprise version and they are
                  > > moving from normal web server log files to SDC. This customer is
                  > extremely
                  > > sensitive to any software that is installed in their data center. Since
                  > > SDC
                  > > server is required to be on the public network, their security team
                  > wants
                  > > to
                  > > know
                  > >
                  > > a. Since SDC uses ISAPI filter on IIS, does it pose any vulnerability /
                  > > threat?
                  > > b. If there has been any instance of SDC installation being exploited
                  > > in the past?
                  > >
                  > > We tried searching on the Internet, but found only old articles on
                  > > securityfocus.com. Perhaps there is nothing online because there are no
                  > > issues whatsoever in terms of security. But would be good to know.
                  > Thanks
                  > > for any input that you might have.
                  > >
                  > > Regards,
                  > >
                  > > Seby Kallarakkal
                  > >
                  > > seby@nabler. <mailto:seby%40nabler.com> com <seby%40nabler.com>
                  > >
                  > > +91-80-25423566 Ext.207
                  > >
                  > > www.nabler.com
                  > >
                  > > [Non-text portions of this message have been removed]
                  > >
                  > >
                  > >
                  >
                  > [Non-text portions of this message have been removed]
                  >
                  > [Non-text portions of this message have been removed]
                  >
                  >
                  >


                  [Non-text portions of this message have been removed]
                Your message has been successfully submitted and would be delivered to recipients shortly.