Manage Learn to apply best practices and optimize your operations.

Career opportunity: Domino security expert

Career opportunity: Domino security expert
By Leslie Goff

If you've ever wondered about the value of becoming a Domino security expert, your time has come.

The demonstration in July of security vulnerabilities in Domino and Notes applications by consultants from Security Design International (SDI) Group and The Trust Factory at the annual DefCon meeting in Las Vegas brought attention to the fact that just following Domino's built-in security procedures may not be enough to protect your applications and databases from corporate intruders.

"There's been a shared assumption that if you had a tight Domino server, you were pretty safe. But now, beyond just Domino security, an overall understanding of Internet security is clearly a benefit," says Paul Della-Nebbia, a principal of The Learning Continuum, Boca Raton, Fla., a Notes distance learning provider. "When you have a strong understanding of security issues, it sets you apart from other Domino professionals."

Too many Domino administrators lack even rudimentary Domino security expertise, says Chris Goggans, director of operations at the SDI Group, Anandale, Va., who was one of the DefCon presenters. In his last 20 vulnerability assessments for corporate clients, he says, he found basic security flaws in Notes deployments. In one company, for example, the Domino servers were accessible via the `Net and critical system databases, like names.nsf, were available to anonymous browsing.

"There seems to be a shortage of people who have even the basic Notes/Domino security features down pat," Goggans says. "Beefing up your security expertise is definitely a good way to move your career forward."

In the Domino environment, at least 90% of the security burden lies with administrators rather than developers, notes Jeff Allen, a programmer at Computerworks, an Albany, N.Y.-based Lotus ISV. "As a development platform, Domino has some inherent security features built into it and developers are forced to work within those guidelines," he explains.

Domino administrators are well advised to come up-to-speed on at least the access control list and execution control list. "That's just a given, a bare minimum," Goggans says. Ultimately administrators should take a more holistic approach, going the extra mile to master the security features of the operating systems on which Domino runs, including Windows, Unix and AS/400.

"Domino administrators get too wrapped up in the specific applications rather than looking at big picture security issues," Goggans says. "In our assessments, we've been able to compromise Domino applications because of vulnerabilities in the operating system they were installed on. If the administrators were more [OS] savvy and knew how to tighten down [the OS], they wouldn't have been so vulnerable."

Not only will your company benefit from the extra effort, your career will benefit as well. Goggans points out that combining Domino administration experience with OS security expertise "makes you more well rounded and opens up a lot of doors."

And according to the 1999 salary survey of 11,064 systems administrators by the SANS Institute, administrators who managed three or more platforms earned higher salaries than those responsible for only one or two. Security administrators, security auditors and security consultants earned more than database administrators, systems administrators or network administrators.

Domino security links
Lotus Security Zone 

Lotus Notes and Domino R5.0 Security Infrastructure

Securing Your Application: A Learning Byte 

Lotus Notes Vulnerability Details from the SDI Group-Trust
Factory DefCon Presentation 

Security News, Alerts and Response Information 
Computer Emergency Response Team 

The SANS Institute 

Security Focus 


Security primers for beginners
Security 101 (at SecurityPortal) 

Tech Tips (at 

How to Eliminate the 10 Most Critical Internet Security
Threats (at 

Mistakes That End-Users, Executives and IT Professionals
Make That Lead to Security Breaches (at 

Information Security Reading Room (at 

Security education and training links
GIAC Training and Certification Program (developed by SANS
and the Global Incident Analysis Center) 

CERT Training and Education (in conjunction with the
Software Engineering Institute at Carnegie Mellon

Capitol SANS 

This was last published in September 2000

Dig Deeper on Domino Resources - Part 3

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.




  • iSeries tutorials's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...