Security Impressions

Recently at work, a newly updated web application was deployed. This particular application is based on Java and is using one of the newer versions of Java. This newer version of Java (compared the very outdated version they used before) has introduced quite a few more security “features”. This basically equates to Run and Allow warnings along the way. The way this application is published, the “Always remember” checkboxes will reset themselves when you log off. So the owner of the application sent out an email to 10,000+ employees basically stating to click “Run” and “Allow” to any prompts you receive when trying to login to the application. I refused to accept this as a solution and found a way around it and removed the prompts. As I was working on it, one of the other engineers I was working with stated “I am not sure we want to give the impression that we can fix this every time” since my “fix” may break on the next update. I blew off the comment and the fix was eventually deployed. Later however, I thought about that comment. Yes, I do want to give users that impression. In fact, it’s important that I give users that impression. This application is an internal application that we trust with our data. If we train users to click “Run” and “Allow” to any prompt that comes up for this application, when a prompt comes up for something that we don’t trust, someone will say “Oh, you just click Run and Allow and those go away”. We don’t want users doing this to any old prompt they get. This has obvious implications of letting malware into the network. So yes, I do want to give the impression of a secure network and to train our users on safe network security practices. Now if only we could get rid of the antivirus software we use… I won’t tell you what it is, but it rhymes with Fymantec.

Read More