[Veserv]

So I can just give you a cardboard box and call it a vault? You can not prove me wrong upfront so you have to believe me? That is ridiculous.

There is plenty of evidence you can provide to establish confidence that a certain degree of security has been achieved. Robust auditing, thorough review, formal methods, exhaustive testing, competent red teams exercises failing to find any vulnerabilities, etc. The only people throwing their hands up claiming security can not be evaluated have nothing useful to say about security because they do not even believe it is possible to know if they did anything.

[reactordev]

Counter argument. Okta does all those things. Provides all the evidence, the red teams, etc. and still you don’t trust them (because they continue to have breaches) so to argue that one can prove security is false. One can only practice security and find assurance in certainty that they can identify events after or when they occur. No one can predict the future and no one can guarantee security in perpetuity. So I agree with you that Okta sucks. I also agree with the argument that you have to keep the knife sharp but you can’t just state the knife is sharp. You have to draw some blood to prove it. Likewise security postures are tested when incidents occur, through testing oneself or from another testing you. Complacency in this is when holes form. Security can only be evaluated at the moment in time. You can audit the past, but you can’t audit the future.

[Veserv]

Counter argument, prove that Okta does any of those things to any meaningful degree. They are responsible for guarding the authentication to literally billions of dollars of assets. They are a prime target for organized crime who can field teams of tens to hundreds of hackers and state actors who can field teams of thousands for years. The recent Ceasar's attack had a 15 M$ payout, which means it would have been profitable to spend 5-10 M$ of hacking resources to pull off that attack. Okta is a much juicier target. They need to have security adequate to defeat a attack with 10 M$ of funding at a bare minimum.

So yeah, show me a red team exercise with 10 M$ of funding, they get a 30 person hacking team and 1 year fulltime, that failed to find any vulnerabilities and failed to gain access to any sensitive data, then we can talk about if they provided evidence of adequate security. I bet all they have is what everybody else has which is red team exercises that had 3 people for a month that reported 27 serious vulnerabilities, then another red team exercise that found a different 23 vulnerabilities, then another, then another, then another, always finding new ones because their systems are actually at the 100 K$ quality level. Those exercises do provide evidence and confidence in their security, you can be extremely confident their systems are grossly inadequate for their threat landscape. I have not looked, but the same can almost certainly be said about their certifications, audits, etc. since the gold standard that everyone aspires to is, when looked at objectively, grossly inadequate.

[eastbound]

If they protect hundreds of billions in assets, then their bug bounty should be hundreds of billions minus $1.

So that they never have to pay it. Up to them to decide how to upskill their red team now.

Barring such a bug bounty, there is no way to trust them.

[ungamedplayer]

So you think they hire competent red teams? Or give them the same scope that hackers are able to achieve?

[reactordev]

No and no, but I was just providing a counter argument so we can get past our bias and get to the heart of the issue. Can we trust Okta going forward? Do they understand the scope? The risks? Or are they full of Id and Ego that they think they are untouchable?

Having red teams, having audits, having scans, etc is simply not enough for some folks but in Okta’s eyes, it’s enough for C-suite talks of taking Authentication/authorization off the plate of their IT department.

I firmly believe for every individual who thinks they are untouchable, there’s a hacker who knows more and is willing to throw it all away to prove a point.

[ungamedplayer]

Can't agree more.

[xyproto]

You can substanciate a claim that a cardboard box is insecure without proving it.

And you can substanciate a claim that an an online service is secure without proving it.

[Veserv]

Great, so your argument is based on misinterpreting my single usage of the word “prove” to mean the mathematical definition rather than the colloquial definition meaning substantiated as is obvious to even the most casual observer based on how my statements talk about evidence, not logical inference rules.

I mean, do you seriously think that if person A says: “My vault is secure for 15 minutes against a human with a crowbar.” And person B says “Prove it.” That person A would ever respond with: “I can not because a vault is not a mathematical object and therefore proof is impossible, but I can substantiate it.” That would be ridiculous beyond belief. That is what you are doing.

[xyproto]

I think the distinction matters not only in mathematics and logic but in security too. Companies with "proven security" are often proven wrong.