Opt-In Security
11 July 2012, early afternoon
If you are using Hudson/Jenkins you might want to review this article by my coworker: The Operational Reality of Opt-In Security Controls.
This has been a topic of much discussion in my office for the last couple weeks. My co-worker, unaware of what Jenkins and Hudson were all about, thought he had found a pretty crazy exploit while doing an assessment. It turns out he had actually found was a poorly configured instance of Hudson. Responses to his outreach have been mixed, to say the least. The people behind Hudson and Jenkins feel this isn’t a problem for them to solve. They provide a guide to harden your install, and feel it’s up to their users to ensure they deploy things properly. (This is similar to the attitude Rails developers took to their mass-assignment bug.)
Using Google he ended up finding misconfigured automated-build servers all over the Internet. (You’d actually be surprised and/or terrified by some of the people who had exposed their servers in this fashion.) He’s been sitting on this post for ages, waiting for people he has notified to get back to him on whether they have secured their install or not. For every person who replies promptly with a thank you, there are probably two people who don’t reply at all or who quietly fix their install and pretend he never got in touch.
I suspect one reason people simply go the no warning full disclosure route when they find vulnerabilities isn’t because they are trying to be malicious, but simply because it’s the path of least resistance. I suppose this is why patience is an important attribute for a good security professional.