Career opportunity: Domino security expert

Career opportunity: Domino security expert
By Leslie Goff

If you've ever wondered about the value of becoming a Domino security expert, your time has come.

The demonstration in July of security vulnerabilities in Domino and Notes applications by consultants from Security Design International (SDI) Group and The Trust Factory at the annual DefCon meeting in Las Vegas brought attention to the fact that just following Domino's built-in security procedures may not be enough to protect your applications and databases from corporate intruders.

"There's been a shared assumption that if you had a tight Domino server, you were pretty safe. But now, beyond just Domino security, an overall understanding of Internet security is clearly a benefit," says Paul Della-Nebbia, a principal of The Learning Continuum, Boca Raton, Fla., a Notes distance learning provider. "When you have a strong understanding of security issues, it sets you apart from other Domino professionals."

Too many Domino administrators lack even rudimentary Domino security expertise, says Chris Goggans, director of operations at the SDI Group, Anandale, Va., who was one of the DefCon presenters. In his last 20 vulnerability assessments for corporate clients, he says, he found basic security flaws in Notes deployments. In one company, for example, the Domino servers were accessible via the `Net and critical system databases, like names.nsf, were available to anonymous browsing.

"There seems to be a shortage of people who have even the basic Notes/Domino security features down pat," Goggans says. "Beefing up your security expertise is definitely a good way to move your career forward."

In the Domino environment, at least 90% of the security burden lies with administrators rather than developers, notes Jeff Allen, a programmer at Computerworks, an Albany, N.Y.-based Lotus ISV. "As a development platform, Domino has some inherent security features built into it and developers are forced to work within those guidelines," he explains.

Domino administrators are well advised to come up-to-speed on at least the access control list and execution control list. "That's just a given, a bare minimum," Goggans says. Ultimately administrators should take a more holistic approach, going the extra mile to master the security features of the operating systems on which Domino runs, including Windows, Unix and AS/400.

"Domino administrators get too wrapped up in the specific applications rather than looking at big picture security issues," Goggans says. "In our assessments, we've been able to compromise Domino applications because of vulnerabilities in the operating system they were installed on. If the administrators were more [OS] savvy and knew how to tighten down [the OS], they wouldn't have been so vulnerable."

Not only will your company benefit from the extra effort, your career will benefit as well. Goggans points out that combining Domino administration experience with OS security expertise "makes you more well rounded and opens up a lot of doors."

And according to the 1999 salary survey of 11,064 systems administrators by the SANS Institute, administrators who managed three or more platforms earned higher salaries than those responsible for only one or two. Security administrators, security auditors and security consultants earned more than database administrators, systems administrators or network administrators.

Domino security links
Lotus Security Zone

Lotus Notes and Domino R5.0 Security Infrastructure

Securing Your Application: A Notes.net Learning Byte

Lotus Notes Vulnerability Details from the SDI Group-Trust
Factory DefCon Presentation

Security News, Alerts and Response Information 
Computer Emergency Response Team

The SANS Institute

Security Focus


Security primers for beginners
Security 101 (at SecurityPortal)

Tech Tips (at CERT.org)

How to Eliminate the 10 Most Critical Internet Security
Threats (at SANS.org)

Mistakes That End-Users, Executives and IT Professionals
Make That Lead to Security Breaches (at SANS.org)

Information Security Reading Room (at SANS.org)

Security education and training links
GIAC Training and Certification Program (developed by SANS
and the Global Incident Analysis Center)

CERT Training and Education (in conjunction with the
Software Engineering Institute at Carnegie Mellon

Capitol SANS

This was first published in September 2000

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.