[HN Gopher] Our security auditor is an idiot. How do I give him ...
___________________________________________________________________
Our security auditor is an idiot. How do I give him the info he
wants? (2011)
Author : Wowfunhappy
Score : 119 points
Date : 2023-06-18 17:44 UTC (5 hours ago)
(HTM) web link (serverfault.com)
(TXT) w3m dump (serverfault.com)
| anotherhue wrote:
| Personal ancecdote: Our backend was exposed using a cloudflare
| tunnel (we call cloudflare, they expose it with security
| scanning, etc.)
|
| Auditor wants to see firewall rules on our IP addresses, except
| we don't have IP addresses, we were small enough that the default
| Azure general shared outbound network worked. (Think CGNAT). No
| amount of explaining this would check the box.
|
| Solution: add a public IP to our prod env, unassigned to
| anything, with firewall rules. Audit passed.
| sgtnoodle wrote:
| Couldn't you just give them an empty rule set? Like, make it a
| nice official looking report.
|
| I had to certify a low speed vehicle using a government test
| procedure. It called for all test equipment to be calibrated
| within the last year. I had built some of the equipment myself
| specifically for the test, though. I measured the relevant
| performance characteristics in a thermal chamber (oscillator
| drift was the only possible source of error), documented it on
| a piece of paper to stick in the office filing cabinet, and
| printed some "Calibrated on xx/xx/xxxx" stickers.
| dharmab wrote:
| A purely hypothetical and fictional story: A programmer once
| complied with a requirement to produce a firewall policy by
| creating an allowlist policy that was effectively, 0.0.0.0/0
| but with addresses such as the following removed:
|
| - 100.64.0.0/10
|
| - 192.0.0.0/24
|
| - 192.88.99.0/24
|
| - 192.0.2.0/24
|
| - 198.51.100.0/24
|
| - 203.0.113.0/24
|
| - 233.252.0.0/24
|
| The significance of these networks is left as a punchline for
| the reader.
| exabrial wrote:
| Facing a similar issue once, I gave them cloudflare's ips and
| that seemed sufficient.
| sgtnoodle wrote:
| Another one. We once had to get a solar car inspected by the
| state for registration. They needed to hook up a tube to the
| exhaust for an emissions test. We just pointed them to the
| battery's cooling exhaust.
|
| Another solar car, a police officer just came out to inspect it
| like a "kit car". He asked, "It has 4 wheels, right?" And we
| were like, "yeah for sure, if you count the steering wheel."
| And he went ahead and checked the box.
| dharmab wrote:
| At a large tech company, we were planning to offer a certain
| service to the US government. In order to comply with FedRAMP,
| we added some extra proxies to the infrastructure running the
| Gov workloads so that they would have the dedicated IP
| addresses required for compliance.
| bombcar wrote:
| This kind of compliance happens time and time again all
| throughout any regulated industry.
| tedunangst wrote:
| No ten years later where are they now update post?
| [deleted]
| Spooky23 wrote:
| It's a trap. You reply with the policies that prohibit what he's
| asking. If you don't have any, that's a finding. If you do and
| violate the policy, that's a finding.
|
| When the premise is that the auditors are idiots, you have a
| problem. ;)
| kneebonian wrote:
| Having worked in security for a number of years there are 2 types
| of security people.
|
| Type 1: Are super sharp guys that have spent time in half a dozen
| areas and went to security because it was the only way to get the
| exposure they want to so many different things, they often also
| are associated with red team and the kind of people you want as
| security engineers.
|
| The second type is the type of people who focus on "security" who
| end up focusing on compliance and audit and are responsible for
| security theater. They may have a lot of certs especially the
| CISSP and are business savvy. They are also the most likely to do
| things like in the original post because they don't actually
| understand computers and what they are securing.
|
| The 2nd type give the 1st (which I hope I am) a bad name, and
| unfortunately are more common than not.
|
| The reason for this is that security has to be across every piece
| of the stack, if you have a single weak point then your entire
| stack is compromised. As a result you either have to be able to
| operate in all layers of the stack, which is very hard to get
| good at and understand and takes a lot of time and effort, or you
| trick yourself (and people who don't know what they're talking
| about) into believing that you can focus on just the "security"
| pieces of each layer of the stack. Which unfortunately means that
| things end up dogmatic, cargo culty, and vendor saturated because
| you don't have the understanding to make intelligent decisions
| only the understanding to follow "Da Rules" of security.
| theknocker wrote:
| [dead]
| paxys wrote:
| Sounds like internet creative writing, with the standard "and
| then everyone clapped" ending.
| yawaramin wrote:
| The only way it could be more satisfying is if there was one
| more update gleefully telling everyone about how the auditor
| got clapped by PCI or Visa or whoever.
| nneonneo wrote:
| Interesting, the poster was named "Smudge" when I first opened
| the link a few minutes ago, but is now named "Blank". Perhaps
| they read HN?
|
| (I'm not giving anything away that isn't already public, by
| virtue of the Internet Archive:
| https://web.archive.org/web/20230205031024/https://serverfau...)
| tptacek wrote:
| 12 years of previouslies:
|
| https://news.ycombinator.com/item?id=12434215 (with an actual
| thread)
|
| https://news.ycombinator.com/item?id=2820567 (with an actual
| thread)
|
| https://news.ycombinator.com/item?id=7456068 (with an actual
| thread)
|
| https://news.ycombinator.com/item?id=2796423 (with an actual
| thread)
|
| https://news.ycombinator.com/item?id=20333488
|
| https://news.ycombinator.com/item?id=19540665
|
| https://news.ycombinator.com/item?id=12432018
|
| https://news.ycombinator.com/item?id=11360499
|
| https://news.ycombinator.com/item?id=19400843
|
| https://news.ycombinator.com/item?id=7458926
|
| https://news.ycombinator.com/item?id=12416581
|
| I doubt this story is real, for whatever that's worth.
| oliwarner wrote:
| > I doubt this story is real
|
| Oh, never underestimate the incompetence of clients' compliance
| gremlins to mangle actual regulations into impossibly
| contradictory checklists and requirements.
|
| That said, we have had trick security questions before too.
| sam_lowry_ wrote:
| With all due respect... I once saw a very authoritative
| explanation of abbreviations in the ISO2022 standard: they
| wanted to save space!
|
| So banks of the world use Ccy fo Currency.
| ilyt wrote:
| > I doubt this story is real, for whatever that's worth.
|
| Plot twist: It's a social engineering test
| darkclouds wrote:
| Quite likely. Considering the "bugs" that exist in hardware
| which the security auditor has no control over which is a
| "forced to trust hardware" exercise, before even looking at
| software bugs, it seems like a job to keep someone occupied
| whilst most of the population drinks from the kool aid
| decanter.
| [deleted]
| WheatMillington wrote:
| I have a hard time believing this is genuine. It feels like
| ragebait for security nerds to me.
| technion wrote:
| Meanwhile my issue with it is that the story got so popular
| online, given it feels like a normal day with most security
| auditors. I have to have worked with dozens of guys just like
| this. The only thing consistent is that they are the ones being
| listened to.
| andrewflnr wrote:
| What a paradox. You are blessed with innocence about the ways
| of low-rent security auditors, but poisoned with cynicism
| toward their victims.
| sdflhasjd wrote:
| I dunno, I also feel it's fake. When I compare the experience
| dealing with bullshitters aginst the one in the original
| post, it has a different feel. The post is too "internet
| creative writing" in tone an substance: where every argument,
| counter-argument, rebuttal and retort perfectly mesh to
| create the ideal shower-argument-esque narrative.
| Particularly as it feels like the same person is writing both
| sides.
|
| In real-life you either cut it off politely to save your own
| time, or it would just descend into a mudfight.
| qntmfred wrote:
| I went through the SOC 2 (Type 1 and 2) process in the last few
| years and I nearly quit with the amount of useless, ill-informed
| nonsense I had to submit to.
|
| The regulatory controls themselves are mostly reasonable, but
| seeing the competency and rigor (lack thereof) of the auditors
| was completely demotivating.
| gurchik wrote:
| I see a lot of people say this. Maybe I've just been lucky but
| all of my security audits have been sensible and easy.
|
| The only exception was at one company, an auditor flagged that
| weren't in compliance with "antivirus software is installed on
| all storage servers," and as they defined it, that would have
| included our Docker image repositories and S3 buckets. They
| gave us some suggestions on how we could do this, for example a
| Lambda-based solution that would scan all files uploaded to S3.
| We just said "no" and they dropped it.
___________________________________________________________________
(page generated 2023-06-18 23:01 UTC)