re: Don't make me hack your software VIEW POST

FULL DISCUSSION
 

I've had similar experiences with poorly chosen or poorly managed 'security' software, and I too have spent a little effort working around those poor choices, partly because it's satisfying but mostly because it helped a team or three be productive when the specific product was invasive and interfered with their day jobs. However - and this is the important bit for me - I didn't stop there with two fingers pointed at the infosec team, because I'm on that team too (it's called the company I work with!). I took the productivity issues to my colleagues whose job is to protect the rest of us from ourselves and too much hasty clicking through warnings.. and challenged all of us to find a better way to meet our security requirements.

In one specific example: a duty of care regulation requires the company to make efforts to protect employees from accessing harmful material on the 'net during their use of company equipment. The infosec team chose (poorly) to deploy Websense, which is a client-side proxy-based filtering product that diverts some http requests through the Websense filters. Unfortunately it only partly protects the end user, depending on which software honours the proxy settings, but does destroy anyone's ability to use Fiddler or other proxy-based network debugging tools - cue large drop in productivity from dev/QA/ops teams. Once challenged to find a better way, and with input from other team members who have worked for other organisations that have already been round this loop, we looked again at the requirements, and decided that we could use network-based transparent filtering to cover the majority of users on corporate networks without any client-side software products, then apply VPN tunnelling and managed default routes for remote workers / road warriors so their 'net traffic is filtered by default. This means our users can disable the protection if they wish, but it has to be a deliberate, knowing action, thus they are taking ownership of the risk, and the company is not at fault should something then go wrong.

 

I wish my company would agree on this, but they will never.

We also have Websense and we all HATE it. It caused lots of serious trouble to all the developers in my company (lately they force-installed a google chrome extension for it, but I figured out how to delete it :D).

 

Yep, Websense is not popular. FWIW my workaround was ridiculously easy as Websense relies on a hostname lookup to find it's PAC file.. so I resolve that in my hosts file to 127.0.0.1 then provide my own PAC. It took me 10mins to find and implement this, it would similarly allow a malware author to bypass it's protection, giving me a strong argument for not using client-side security controls, and encouraging the infosec team to look at other options.

 

Thanks for your reply. I'm going to talk to the admins about this. TBH I don't expect a quick resolution here. Our company is quite large and these things take a while usually.

code of conduct - report abuse