Fun With Security

Our application suite logs debug information to a file on the local disk drive. A security audit found that we were capturing sensitive information to this file. The fix was to stop doing that. However we also got dinged for allowing free access to this log file. I thought we could address this concern by encrypting the file. This gave me all kinds of ideas of interesting security encryption code to write.

The software development manager said we had to use the approved encryption method that the client advocated. Still being excited over this project, I poured through the mounds of security requirements that our client has. This was a dry exercise. I thought I found a section on encrypting files like ours. It pointed to another standard. I read a little bit about this standard. It seemed a bit involved. There was a lot of math used. But that’s ok.

I found an example of the algorithm written in the C programming language. However I still wanted to roll my own implementation. It is fun to write code. As a precaution, I went and told the software development manager what my intentions were. He told me we could not write our own implementation of the encryption. The security guys would not go for that. Instead I had to get the source code from our client.

This task keeps getting more and more boring by the second. Now my plan is to dump this onto a subcontractor. Perhaps instead I can work on a rule based engine that parses the audit information and suppresses the sensitive information. Hey. I am a company man. And although the overall mission is to solve problems for our customers, I got to have some fun while I am at it. Life is too short to do otherwise.