Summer Holidays are a funny time of year in our office at least as support levels change on a daily basis - it really shows up the differing levels of skill in single teams.    Though theres one guy who we dread leaving on his.

Why?

He is the office Jonah.   Ie, when he leaves lots of stuff just breaks.     Its generally not software issues, its hardware, and sometimes its not even stuff he maintains.      Hes just a bad luck charm, or rather is when out.

This is the 3rd year this has happened, which is too much in my mind to be a coincidence.

This week alone we’ve had 3 hardware faults on firewalls, a major outage on another piece of software.   And I just got told today the 4 of our WAN optimisation devices in the UK are being replaced - as they have a electrical fault.    We’re normally lucky to have one go wrong a week.

Anyone else have bad luck in holidays when one individual leaves?

This weekend, had a nightmare Saturday, as I got called out 10 times on the same issue by what  was a totally incompentant freshly outsourced help(hell)desk in Mumbai.

Now a lot of the problems I am about to describe are easily fixed, but the sheer lack of technical competance/common sense actually shocked me.

Big issues this weekend when called out on a Banking link not working in London:
1/  I’m not supposed to be called out on a single (or up to 5) user issue.     No matter how urgent.    I am oncall for site down/kit broken/stuff affecting over 50 people (or will do on Monday if not fixed before users get in).   So how come you are calling me for a single user working in London?
2/   I expect a call to have some degree of common sense.   In this case Website down wasn’t the complete story - it did work from Germany.   Should a ticket not contain more than just Website down urgent, URL?  Now the question to the user would then be why?
3/   Did this work on Friday?  Ah no, again its never been tested outside of Germany?
4/   Ah we have a private banking link to this bank in Germany - could actually be by design that the site only works in Germany?

In another set of calls later I got mis-called - ie for areas I don’t support 4 times.    I do security and networks, not exchange server or sql server you numpty.    It did get boring the 4th time, especially at 2am.

Now I can pretty much guarentee all of this would have been asked by the UK or US desk before it made it to me and I wouldn’t have been mis-called.      Why does our Indian desk lack what is common sense to the rest of the world - they have after all been working with the UK/US people for 3 months and should know all the above.

Luckily I havn’t been the only person experiecing the above this weekend - the management here have had so many complaints from the techs here, that they are apparently not going to let India run the show next weekend until the underlying issues of common sense are resolved.

Had fun at work this week tidying and removing the office of the legacy old spares from the old storage cupboards - part of a shutdown of a computer facility we run

Amazed at what useless kit we kept in there:
A spare mini-IDX (without any useful modern interconnects so useless) + 25 handsets
Several ancient old Cabletron switches with cards capable of a whole 10mbit/sec.    Had a 100Mbit/sec uplink.   Sounded like jet aircraft when power reapplied, and were 12U and 4U in height
Lots of obsolete NTU’s  from various telco’s from all over the globe (we act as a clearing house).
Over 200 AUI -> 10baseT converters.
Several network IDS’s from years ago, that were now out of support & thereforeuseless (Cisco).

More amazed at the piles of useful converters, fibre cabling - that had found there way to the back of the cupboard and never been properly cataloged.   Prior to this we had been short on such official spares, so this saved us restocking the main supply.

Also was amazed when the server team found servers sat in their original boxes in a deep cupboard, that had never opened, dating back to 1996 (prior to any of us working here).     Well at least they weren’t in the cupboard on and powered, with no-one knowing what they done (like the old place I worked).

Don’t you love a good clean?

I have to say I am addicted to Facebooks email client.  Why?

Its excellent at a multi person conversation.   If you email everyone on your friends list about an event or similar, then the responses are nicely threaded, so you can read and keep up to date.   Facebook mobile also follows the thread really well and works really well on my N73.

Before anyone comments on this yes, Googlemail is good, and broadly similar in its threading.   My personal mail with spam filtering is also good combined with Thunderbird.   That said, neither spam filtering is perfect - unlike Facebook where you can’t send me a mail unless you are a member… and as all my friends are on there, Facebook inbox gets more user-time than either of my other mailboxes at the moment.

Anyone else finding they are using Facebook mail more and more daily?

Web App security:

I havn’t been blogging in a while due to a sudden influx of work…   Basically my past 4 months have been spent doing inhouse testing of security vulnerabilities of internally/externally developed applications and also giving guidance to offshore developers from development stage on what to avoid in their code - and testing proactively through development cycle.

Am amazed.    Really amazed how many application developers don’t follow the basic OWASP guidelines and top 10.

To summarise, of the 5 apps we’ve done in-depth testing of (and had no security involvement up until 4 weeks before go-live).     Of these 5, all 5 failed one or more OWASP top ten item.    More concerning is the fact that 3 of them were vunerable to > 7 of the top ten, and  one had a final count of 9 (yes it did use https so go figure… ).

More concerning was one commercial app which is actually live on the net as a managed solution and used by other companies in the relevant field (can’t name it as only 2 commercial apps in this space), - we rejected the app due to what we found..  .   Their response to the in house audit findings? - Blinkers - initial response - “but E&Y Audited us and gave us a clean bill of health”.     And no, I’m not naming and shaming them, but it is serious…   They finally accepted our point when we refused to actually sign and use their product purely on their lack of security..

Basically web-app security now is far more important in my opinion than many other forms of security - mainly as its been overlooked over past few years.

Downsides in the field so far - as that although commerical tools such as Watchfires Appscan are good - they only help in the process - they are not a “QA” tool, and should not be handed to basic QA testers - as a Watchfire all-okay scenario does not mean clean site.

That said, with the tools that come with Watchfire and the ability of extensions to do custom extra tests - it does greatly reduce test time from all-manual testing.    So overall I’m happy for work to have purchased several seat licenses, as it has made some parts of the job easier.