Hacker News new | ask | show | jobs
by AmericanChopper 2504 days ago
> Working from a point of "I don't trust my employees" is very painful for many reasons.

It’s probably the hardest problem to solve in general, but it’s exactly what a well designed separation of duties is supposed to address.
1 comments
tptacek 2503 days ago
I have never even heard of an internal site-wide pentest that failed.
link
dmix 2503 days ago
I'm guessing Coinbase hiring a pentester and giving them 'employee level access' would be a needless formality?
link
tptacek 2503 days ago
People do internal pentests even though everyone knows the pentesters will win; you still learn something from the experience.
link
AmericanChopper 2503 days ago
You’ll never be able to prevent privileged insiders, or their accounts, from being able to cause damage. But I have worked with organisations where internal tests were not able to compromise the most critical assets, and where the outcome of the tests was those assets become even more well protected. Which is really the best outcome you could be hoping for with these kinds of engagements, imo.
link
dmix 2503 days ago
Of course, I was just being cute.
link