RE: Would you recommend such an application for production use?

Depending on the size of the company that wrote the product, I wouldn't be surprised if they don't have a "hardening" guide for their product. So, by default, they leave things wide open, to improve user experience and ease of use (cause unfortunately, very often as quality of security increases, ease of use and functionality decreases correspondingly).

However, odds are they have run into folks like you who are smart enough to crack the whip a bit from a security perspective, and they probably either have a doc on improving security, with documentation about what capabilities you lose accordingly, or they have someone you can talk to within the organization who can help you with your concerns.

I'd escalate those concerns to management, and see if you can't get on the phone with the vendor, and ask them to address the concerns. They might be more than keen to help you out.

(speaking as someone who has these kinds of discussions with customers all the time).

Thanks,
Matt

-----Original Message-----

From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Martin Bach Sent: Wednesday, February 17, 2010 4:20 PM To: ORACLE-L
Subject: Would you recommend such an application for production use?

Dear listers,

I tried to come up with a good name for this post but couldn't. So here goes the story:

I have been asked to review a product that management is _very_ keen to deploy in production. Unfortunately before this can happen it has to go through a change management process which implies that "troublemakers" like me can raise their concerns that need addressing. For a change I have access to the source code of the application which makes it even more interesting.
<snip>

Did anyone made a similar experience? What did you do?

Interested to hear comments!

Martin
--

http://www.freelists.org/webpage/oracle-l

--

http://www.freelists.org/webpage/oracle-l Received on Wed Feb 17 2010 - 15:25:27 CST