Comment by rbobby
2 hours ago
> best thing to do is segregate and control damage
I first encountered that concept with a client that put every webapp in it's own virtual server and expected the vm to get compromised at some point. Seemed like a very sensible idea 15 years ago.
my point was to limit access to tokens, segregate with different accounts for different apps, different computers or ISP if need be.
wall it off and dont trust VMs either. if you have something of value they can escape it.