[wheaties]

I believe this. Most of the "security" people i run into don't know jack. Incompetence is ripe and this sector will only grow.

Last external IT audit I had to explain to the auditors what a password manager was. They'd never heard of it.

[a2tech]

Exactly. Its shocking how bad most audits are. The standards they're trying to enforce were obviously put in with the best intentions but instead of the spirit of the rules, the letter is being followed. When the letter of the law is being enforced by people that don't know anything about the industry or how the technology works, you get truly asinine decisions.

[raesene9]

It's an inevitable part of the way IT Audit is structured. Standards are necessarily abstract from specific systems (so don't always apply well) and updating standards is a slow process.

The auditors themselves are often tasked with reviewing a massively disparate group of systems, so there's no way they could be come subject matter experts in each one.

So the result is a checklist approach, especially as most compliance tasks are pass/fail.

[ArtWomb]

Virtually all cloud deploys are misconfigured ;)

https://www.crowdstrike.com/cybersecurity-101/cloud-security...

Cloud native tools such as Cilium that leverage eBPF to provide packet level visibility but I doubt 1% of enterprises use them!

https://cloud.google.com/blog/products/containers-kubernetes...

[Hujiuu]

I prepared so much for our audit and the only thing this guy cared for in a 5 developer company was the fact that I had root access on all environments.

He didn't care about Aws having 2fa configured about our vlan ipsec Tunnel, etc

I even took the liberty to fix the md5 Passwort shit with bcrypt just before the audit...

[austincheney]

That guy is completely right. I wouldn’t look at anything else either as that is already the security worst case scenario.

[Hujiuu]

On a small company with 5 people?

Are you serious?

What would be your suggestion then?

[austincheney]

Eliminate root access. If an intruder gets into your network they have unrestricted access to everything. Game over.

The solution is defense in depth. Have different accounts with separate access to various services. That way if an account is compromised they don’t have access to everything.

Most of your accounts should provide least access to what they need. Higher level accounts allowing greater control of your system should be rarely available for access and need to be part of regular access control audits.

[Hujiuu]

I'm not logging in as root directly.

But non the less with 5 people what audit system would be even available in which only one person has access.

All smart concepts cost either a lot of money or just don't work if you don't have enough people.

Should the only techlead have access to the audit system? Probably. Should the only techlead have access to VMs? Probably yes.

I made sure my systems are encrypted, 2fa wherever possible, no external systems besides the services.

[austincheney]

Security is hard. As a business owner that is a risk you accept.

I know this sounds mean but software developers are really embarrassingly bad at security, because security is inconvenient by design and developers strive for convenience.

[mercora]

What did he suggest as a mitigation? or isn't that part of an audit?

[Hujiuu]

He suggested that my CEO or CTO would be needed to be called if I needed root access.

Like some 4 eye system.

They both liked the idea very much that I might need to call them for access to systems I build :D

[austincheney]

As a developer who used to work in cyber security that feeling is mutual on both sides. Unfortunately they are typically both right.