cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From oleg yusim <olegyu...@gmail.com>
Subject Re: Session timeout
Date Fri, 29 Jan 2016 21:23:32 GMT
Alex,

No offense are taken, your question is absolutely legit. As we used to joke
in security world "putting on my black hat"/"putting on my white hat" -
i.e. same set of questions I would be asking for hacking and protecting the
product. So, I commend you for being careful here.

Now, at that particular case I'm acting with my "white hat on". :) I'm
hired by VMware, to help them improve security posture for their new
products (vRealize package). I do that as part of the security team on
VMware side, and working in conjunction with DISA (
http://iase.disa.mil/stigs/Pages/a-z.aspx) we are creating STIGs (I
explained this term in details in this same thread above, in my response to
Jon, so I wouldn't repeat myself here) for all the components vRealize
suite of products has, including Cassandra, which is used in one of the
products. This STIGs would be handed over to DISA, reviewed by their SMEs
and published on their website, creating great opportunity for all the
products covered to improve their security posture and advance on a market
for free.

For VMware purposes, we would harden our suite of products, based on STIGs,
and create own overall Security Guideline, riding on top of STIGs.

As I mentioned above, for both Cassandra and DSE, equally, this document
would be very beneficial, since it would enable customers and help them to
run hardening on the product and place it right on the system, surrounded
by the correct set of compensation controls.

Thanks,

Oleg

On Fri, Jan 29, 2016 at 1:10 PM, Alex Popescu <alexp@datastax.com> wrote:

>
> On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <olegyusim@gmail.com> wrote:
>
>> Thanks for encouraging me, I kind of grew a bit desperate. I'm security
>> person, not a Cassandra expert, and doing security assessment of Cassandra
>> DB, I have to rely on community heavily. I will put together a composed
>> version of all my previous queries, will title it "Security assessment
>> questions" and will post it once again.
>
>
> Oleg,
>
> I'll apologize in advance if my answer will sound initially harsh. I've
> been following your questions (mostly because I find them interesting), but
> I've never jumped to answer any of them as I confess not knowing the
> purpose of your research/report makes me caution (e.g. are you doing this
> for your current employer evaluating the future use of the product? are you
> doing this for an analyst company? are you planning to sell this report?
> etc. etc).
>
>
> --
> Bests,
>
> Alex Popescu | @al3xandru
> Sen. Product Manager @ DataStax
>
>

Mime
View raw message