Re: [External] : Re: What's that line again about 'best practices'?

From: Chris Taylor <christopherdtaylor1994_at_gmail.com>
Date: Fri, 28 Oct 2022 08:39:15 -0400
Message-ID: <CAP79kiQF60AWf45DHzXMz3VxDUAtLZrLZVQu8OKjsAVQaHDnAQ_at_mail.gmail.com>

And to give some context to my question, I was in an argument with a cloud developer discussing SSM vs SSH in Amazon AWS and they've disallowed SSH "because we had a breach last year" (the breach was in their data center, before they went to cloud, and improperly hardened SSH).

Anyway, the adage was thrown out that "industry best practices are hard to argue with" - Meanwhile, him ignoring that ssh 'best practices' weren't followed when the breach occurred.

His whole argument for using this convoluted ssm setup could be applied to SSH hardening. Boggles the mind.

The SSM is convoluted as heck for users to get an SSM session then get an ssh tunnel opened back up to your machine you download/upload trace files, patch files etc.

Chris

On Fri, Oct 28, 2022 at 8:15 AM Jeff Smith <jeff.d.smith_at_oracle.com> wrote:

> Our ‘Best Practices’ are more like
>
>
>
> ‘What we think you should be doing’
>
>
>
> But we know what folks are googling is ‘Best Practices’
>
>
>
> I also hate this term, but it’s what the industry has landed on.
>
>
>
> *From:* oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> *On
> Behalf Of *Chris Taylor
> *Sent:* Friday, October 28, 2022 8:11 AM
> *To:* mwf_at_rsiz.com
> *Cc:* oracle-l_at_freelists.org
> *Subject:* [External] : Re: What's that line again about 'best practices'?
>
>
>
> Thank you Mark!
>
>
>
> On Thu, Oct 27, 2022, 4:28 PM Mark W. Farnham <mwf_at_rsiz.com> wrote:
>
> James Morle suggested something along the lines that they should be
> renamed Usual Practices (or something like that). I’ve called them Standard
> Minimum Starting Points and I pointed out that the only best practice I
> know of is to not allow things to be called best practices. Calling
> something a “best practice” tends to stifle attempts to do better.
>
>
>
> IF you can get something called a best practice into your service delivery
> standards and you implement that practice, you have a legal defense whether
> or not the users can do anything or not.
>
>
>
> Nothing can be proven to be a best practice. Things called best practice
> are sometimes really just good enough to be acceptable.
>
>
>
> You’ve probably caught the drift I believe “best practice” is a harmful
> term. Some things called “best practices” are really quite good initial
> starting points or usual practices that are just fine unless you need
> something better.
>
>
>
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Chris Taylor
> *Sent:* Thursday, October 27, 2022 1:59 PM
> *To:* oracle-l_at_freelists.org
> *Subject:* OT: What's that line again about 'best practices'?
>
>
>
> Mark or someone has an idiom I want to save this time....
>
> Something about best practices being written by people who don't have to
> support them or something .....
>
>
>
> Chris
>
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Oct 28 2022 - 14:39:15 CEST

This message: [ Message body ]
Next message: Mark W. Farnham: "RE: [External] : Re: What's that line again about 'best practices'?"
In reply to Jeff Smith: "RE: [External] : Re: What's that line again about 'best practices'?"
Next in thread: Mark W. Farnham: "RE: [External] : Re: What's that line again about 'best practices'?"
Reply: Mark W. Farnham: "RE: [External] : Re: What's that line again about 'best practices'?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message