Security Laws

I just ran across the Ten Immutable Laws Of Security from TechNet (Link):

1. If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
2. If a bad guy can alter the operating system on your computer, it's not your computer anymore.
3. If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
4. If you allow a bad guy to run active content in your website, it's not your website any more.
5. Weak passwords trump strong security.
6. A computer is only as secure as the administrator is trustworthy.
7. Encrypted data is only as secure as its decryption key.
8. An out-of-date antimalware scanner is only marginally better than no scanner at all.
9. Absolute anonymity isn't practically achievable, online or offline.
10. Technology is not a panacea.

Several of these pop out in the context of Arena.

#4 is the reason I hate iframes for anything that doesn't come from your servers. It's also why Arena has built in approval systems for pretty much everything that gets posted as content and I very much frown upon any attempts to ignore/bypass that approval process.

#5 is the reason I encourage everyone to increase the minimum requirements on the password complexity RegEx. 8+ minimum characters is still fairly reasonable for a password, and if you're doing online giving or anything involving money my password in your system is going to run the full gamut of upper & lower case, alphanumeric, special characters, and 16+ character length options, but a combination of #5 and #7 means my password security doesn't really matter if an administrator with  "pass1" as their password gets compromised. While you can't view their actual passwords, you can view the salted hash result in SQL, and I highly encourage you to go create a login on a security-less record and then rotate through a couple of common passwords comparing the hash of that user's results to other passwords in your database (basically a smaller version of a rainbow table attack, but the goal is to force people to have good security). If you can guess their password in the first 20 or so that you come up with (suggestion: "password" + month numbers), they need to change that.

#6 is one that I think applies in two ways. First: it is categorically impossible to completely prevent your Arena Administrator (read: person in charge of administrating Arena, not just the security role) from being able to view something in the database (such as SSNs, Counseling records, or even secured notes) as long as they have access to the Security Roles area. But you can't lock them out of Security Roles because then they'd be unable to do their job. So if you don't trust someone 100% (I'd say 110% but then my OCD kicks in), don't make them your database administrator. Second: There is such a thing as a system that is too secure. You should have a record in your system first name "HitBy", last name "ABus", with an inactive record status. This record should have an active login with a long and complex username and password, should be a Global Admin, and that login's information should be stored away in a firesafe somewhere off-site. If you only have one administrator who can access your SQL database to get at that information, you really need a backup access mechanism in case that person leaves suddenly (for any reason, voluntary or not) and you really need access to your data immediately.