Security Debacle

I had previously mentioned that a security audit showed we were logging sensitive information to a plain text file. My solution to this problem was to encrypt the file. I thought it would be fun to research and implement some encryption code. However the boss said we had to use the approved method from the customer. Furthermore we had to use their routines. This quickly turned into a boring task. So I put it aside. The boss told me to get our security guy to find out what method the client requires, and to obtain the necessary code to do it.

So I gave out security guy a call. He said he would get us the information in a couple days. The boss checked on the status with me. Apparently our security guy had made some promises to the customer based on his research. I told the boss I was still waiting to hear back from this dude. We both conference called him. He said he had researched the question and provided an email with his findings to development. My boss asked who exactly in development he sent the information to. He said he emailed it to Hugh. The only problem with that is there is no Hugh working in software development. I thought to myself “poor Hugh”.

The next day I got an email containing the information that the security guy had sent to Hugh. It seems our guy queried some security folks in our company instead of checking with the client. The assorted responses were precious. I could not make this stuff up if I tried. One person stated, “In college I wrote a paper on applications for database security, including encryption.” Another guy chimed in with “Why don’t you look at Oracle 11G? I believe inherent within the RDBMS there is encryption as part of the package.”

These responses put the boss over the edge. I spoke with our security guy. And I told him we have some Windows C++ applications that wrote log files in plain text on the local hard drive. We just need to write encrypted files. It has nothing to do with Oracle or databases. Then the boss made me call him back to tell him we needed the information today. That caused security guy to recommend that we use McAfee SafeBoot. Now I am no security expert. However I think SafeBoot is something you use to encrypt the whole hard disk, or a file that the user specifies. However I think it best to keep an open mind about this. You never know. I might get a few more laughs out of this exercise. In the end, I think my boss will cave in and let me roll my own encryption algorithms. At least I could implement an industry standard like 3DES or AES.