Thomas Limoncelli: Ten Software Vendor Do’s and Don’ts

From a panel discussion at a recent CHIMIT (Computer-Human Interaction for Management of Information Technology), summarized and published at the Association for Computing Machinery. A good read, right through the comments.

Thomas covers non-GUI, scripted and unattended installation, administrative interfaces, API’s, config files, monitoring, data restoration, logging, vulnerability notification, disk management, and documentation. The comments cover more.

Comments on the above:

API’s: In our latest RFP’s, we ask ‘What percentage of your application functionality is exposed via API’s?’ These can RFP’s can have an $8-digit tail on them, so odds are that they actually read them. I like sending messages to vendors.

Installation layout, location: I really like non-OS software to be completely contained in something like /opt/<application>. I don’t like third party software mucking up /etc, /var, or /usr. When I’m done with the software, I want to be able to pkgrm and rm –rf and have a server that is as clean as the day it was installed. I don’t like having to rummage through /usr, /usr/local, /var and /etc looking for remnants of your old install. Odds are I will not be able to figure it out and your junk will be there five years from now. That points seems to be contended in the comments though.

I’m to the point where if your application needs Perl, Python, or miscellaneous libraries, I am going to install a separate copy of the runtime or library in /opt/<application>/lib or /opt/<application>/perl.

More things that I’d like to see on application software:

11. Separately securable administrative interface. I likely will expect to be able to hide the /admin/everyfriggenthing URL behind a different IP address and protect it with a firewall, VPN, load balancer, Apache mod-something, 2-factor, etc. The security of any application interface that has the ability to modify more than one users data should not be treated the same as the interface used by the general public.

12. Updated Java, Python, Perl, … runtimes. Honestly – I have really expensive software from each of the worlds largest 2, 3 and 6 character fortune really-small-number corporations in my shop, and each of them has at least one current product that does not run under a current, non-exploitable JVM. Can you please recompile that crap so it works with a recent run time? A few years ago when Sun announced one of their Java exploits, we opened up security incidents with each of our vendors that had embedded JRE’s, asking for a version of the application that runs on a non-exploitable run time. In every case, the vendors bumbled around for days until they finally admitted that they do not update embedded JRE’s on products when the JRE is exploitable.

13. Software that doesn’t roll over and die when scanned with commonly available vulnerability scanners. That’s just dumb. That tells me that you shipped me software that YOU did not scan with a network vulnerability scanner. Tell me again about the security of your internal corporate network?

I’m afraid this could be a long list.

Thanks for the tip Kevin.