Comment by nnurmanov
18 hours ago
You have no idea how indifferent security officers can be-even when you point out critical issues. The other day, we flagged that a customer’s database had users with excessive privileges. Their only question: “Can this be exploited from the outside?”
No, but most breaches today come from compromised internal accounts that are then used to break everything.
What's the problem to have local API connected in HTTP? We are within the enterprise network.
And that's how I passed for a annoying "PM". With half of the program management complaining that I was slowing down things until 6m later, the head of risk management told them to get lost.
> the head of risk management told them to get lost
That's why it's important to org-chart engineer for security, if a company is really serious.
The answer is Yes, this can be exploited from the outside by taking over dev machines and using their access.
If you answer No and complain that it’s not taken seriously, it’s at least in part because you didn’t show the risk clearly.
The problem with security is that often it's cheaper to deal with the bad outcome than to prevent it. Actually getting security right is very expensive because it requires virtually every engineer to have some security awareness, and engineers who can be trusted with that tend to be difficult to find. Meanwhile if you have a security incident you say "sorry", maybe you pay a small fine, and a month later everyone had already moved on.
This misalignment is especially bad at startups. In my experience security is only prioritized when driven by the customer and is largely a performative box checking exercise.