I'm just curious about this. Say the system was 100% patched up. Should the administrator also be responsible for cross-site scripting issues?
Asked
Active
Viewed 193 times
2
-
2Define responsibility? You aren't expecting the sysadmin to fix the broken application code do you? – Zoredache Nov 16 '11 at 17:57
-
responsibility of making sure they're not there. – John Ingles Nov 16 '11 at 17:59
-
4A sysadmin doesn't necessarily have access to the code, and doesn't necessarily have any background in software development. How should he know if a issue is present or not? If the sysadmin is made aware of an issue, he may help avoid it. – Zoredache Nov 16 '11 at 18:02
-
that the vulnerabilities aren't there? Sysadmins aren't in charge of QA for coders nor code auditing. – Bart Silverstrim Nov 16 '11 at 18:03
-
1@John Generically, finding XSS vulnerabilities is a job for whoever's responsible for auditing the environment's security. The person who gets that responsibility is an organizational decision. – Shane Madden Nov 16 '11 at 18:04
2 Answers
3
This might get closed for being argumentative, but it seems to be the responsibility of the admin to get the patches in place and fix/contain problems, and the developer is responsible for the actual fix to the application/site.
Admins can't patch what there's no patch for. But they do have to be responsible for trying to clean up the mess (disaster/data recovery) and containment (monitoring for problems, detecting an issue, restoring service, etc.)
Bart Silverstrim
- 31,172
- 9
- 67
- 87
2
The answer is either 'all of the above', or 'depends on the environment'.
I am sure some issues may be mitigated by certain configurations on the server. Therefor, the sysadmin should fix and modify any configurations to avoid any issues.
But the person who developed the code, should be fixing the code. Or at least it should be someone with a strong background in software development or security.
Zoredache
- 130,897
- 41
- 276
- 420