I'm just about to start working with 2 permies on an application security project. Right mess at the moment with 2 separate security repositories developed in isolation from each other and all the security rules embedded in the apps. Totally userid-centric with no concept of roles/groups. Every user has a profile slightly different from every other user. Maintenance horror story.
So much to improve and Client is keen so that's all good.
Trouble is the only other guy who comprehends when I start wittering about a decoupled security subsystem, native security facilities of the OS, role based design etc. is a freelancer working on another project. Its blank looks all round from the guys on the project - one of them is the guru on how the current security 'mechanism' works.
I'm going to set up some presentations to explain the concepts as best I can, but I just wondered if anyone had thoughts on moving people from a primitive mess to best practice when there is political will, but little insight.
Should just add that I am not a security expert so I'm a little nervous about all this. I do have 20+ years of working in environments with very good IT security implementations and management though.
So much to improve and Client is keen so that's all good.
Trouble is the only other guy who comprehends when I start wittering about a decoupled security subsystem, native security facilities of the OS, role based design etc. is a freelancer working on another project. Its blank looks all round from the guys on the project - one of them is the guru on how the current security 'mechanism' works.
I'm going to set up some presentations to explain the concepts as best I can, but I just wondered if anyone had thoughts on moving people from a primitive mess to best practice when there is political will, but little insight.
Should just add that I am not a security expert so I'm a little nervous about all this. I do have 20+ years of working in environments with very good IT security implementations and management though.
Comment