Oct 13, 2015

#jnuc - Novel Solutions with JAMF IT

I chose this to learn various ways the software is being used. Because the room is smaller and much more crowded, I am not able to get out my laptop in order to compose my notes. So, I will just let you know this is what I'm doing, and later I will post thoughts ideas etc.

#jnuc - Software Security and Vulnerability

#jnuc - Software Security and Vulnerability

Why I chose this:
I am always looking for different perspectives of support and this one stuck out as something I really don't often take into consideration. I'm hoping to learn a thing or two.


What we covered:

Testing

  • Understand App
    • Traffic interception
    • Source code review
  • Send unexpected input
    • manual or automated
    • unusual or unexpected actions
  • Look for unusual results
Authentication/Authorization
  • Authentication identifies a user
  • Authorization grants permissions
Injection Flaws
  • User input generally not trustable
  • Injected in HTML
  • Inject in SQL
  • Others
Cryptographic flaws
  • randomization
  • keys
  • identifying servers/clients
  • don't do it yourself
Dependency Flaws
  • Open source
  • 3rd party components
  • Different dev styles
  • Different release cycles/security fixes
  • Different validations
Overview of Select Findings
  • Script download privilege escalation - script executed as root, could execute script, lock it, and run new script. Was fixed by changing location/permissions.
  • Insufficient Authorization Controls - JSS was able to execute as incorrect user privs
  • XML external entity vulnerability - could read file(password) and pass as plain text, cause DOS, etc. Fixed by changing XML parsing to prevent DTDs
  • DES-ECB mode for password - flaw = DES small key size, ECB is weak cipher, Prone to attacks. Fix = select stronger algorithm; more sophisticated cipher mode (AES-CBC); migrate old passwords to new scheme
Out of date software
  • System dependencies that have known, patched issues that you have not updated. Fix = sub to 3rd party release notices; incorporate dep updates
Secure Config Recommendations
  • Message verification = enable message signing using host key/cert
  • Software Install = various protocols could be used. fix = use securable protocols https/smb3
  • Filevault recovery key handling = filevault 2 keys can be intercepted. fix = use institutional recovery key instead of individual key
Q&A

#jnuc - Adobe in Enterprise

#jnuc - Adobe in Enterprise

Why I chose this:
We have a couple users that require more than what is offered by various other software companies in terms of creative applications. Adobe is one of the large sponsors of the conference, so I thought I would see what they have to say.

What was covered:

Karl Gibson, Product Manager

The purpose is to communicate with IT personnel in order to get the word out as to changes in rollouts, etc. This allows IT folks to get a jump on what's coming - good, bad or ugly.

Creative Cloud Overview

  • Download every app as soon as released
  • Use on mobile devices and sync projects across platforms
  • Deploy apps, services updates from central console - add/reassign seats.
  • Two plans
    • Teams
      • Smaller teams/deploys
    • Enterprise
      • Large deploys

Cloud Packager

  • Create packages for you when you sign in based on your enrollment, download the packages for deployment

RUM

  • Remote Updater - Casper can invoke the updater.
  • Download, cache updates then install later
  • Verbose logging - success, fails, why fail

New Installer Technology

  • Optimized installer, still proprietary to Adobe (not flat installer nor industry standard)

Enterprise Dashboard

  • Beefed up system because enterprise requires more robust requirements.
    • SSO/Federated Identity
    • User roles allow for different permissions in terms of rollout
    • User Management SDK - directory in sync with dashboard
    • Managed Services - behind firewall
    • Document Cloud integrated as well
    • Cloud Packager included
    • Self-Service - Experimenting with running the apps with elevated privileges (if needed)

Identity Overview

  • Adobe ID, Enterprise ID, Federated ID
  • Different types based on requirements for various types of users.
  • Can also use serialized deployment, eliminating need for usernames, etc.

There was a demo of the cloud mgmt console.

There was a Q&A session after demo.