[reactordev]

Counter argument. Okta does all those things. Provides all the evidence, the red teams, etc. and still you don’t trust them (because they continue to have breaches) so to argue that one can prove security is false. One can only practice security and find assurance in certainty that they can identify events after or when they occur. No one can predict the future and no one can guarantee security in perpetuity. So I agree with you that Okta sucks. I also agree with the argument that you have to keep the knife sharp but you can’t just state the knife is sharp. You have to draw some blood to prove it. Likewise security postures are tested when incidents occur, through testing oneself or from another testing you. Complacency in this is when holes form. Security can only be evaluated at the moment in time. You can audit the past, but you can’t audit the future.

[Veserv]

Counter argument, prove that Okta does any of those things to any meaningful degree. They are responsible for guarding the authentication to literally billions of dollars of assets. They are a prime target for organized crime who can field teams of tens to hundreds of hackers and state actors who can field teams of thousands for years. The recent Ceasar's attack had a 15 M$ payout, which means it would have been profitable to spend 5-10 M$ of hacking resources to pull off that attack. Okta is a much juicier target. They need to have security adequate to defeat a attack with 10 M$ of funding at a bare minimum.

So yeah, show me a red team exercise with 10 M$ of funding, they get a 30 person hacking team and 1 year fulltime, that failed to find any vulnerabilities and failed to gain access to any sensitive data, then we can talk about if they provided evidence of adequate security. I bet all they have is what everybody else has which is red team exercises that had 3 people for a month that reported 27 serious vulnerabilities, then another red team exercise that found a different 23 vulnerabilities, then another, then another, then another, always finding new ones because their systems are actually at the 100 K$ quality level. Those exercises do provide evidence and confidence in their security, you can be extremely confident their systems are grossly inadequate for their threat landscape. I have not looked, but the same can almost certainly be said about their certifications, audits, etc. since the gold standard that everyone aspires to is, when looked at objectively, grossly inadequate.

[eastbound]

If they protect hundreds of billions in assets, then their bug bounty should be hundreds of billions minus $1.

So that they never have to pay it. Up to them to decide how to upskill their red team now.

Barring such a bug bounty, there is no way to trust them.

[ungamedplayer]

So you think they hire competent red teams? Or give them the same scope that hackers are able to achieve?

[reactordev]

No and no, but I was just providing a counter argument so we can get past our bias and get to the heart of the issue. Can we trust Okta going forward? Do they understand the scope? The risks? Or are they full of Id and Ego that they think they are untouchable?

Having red teams, having audits, having scans, etc is simply not enough for some folks but in Okta’s eyes, it’s enough for C-suite talks of taking Authentication/authorization off the plate of their IT department.

I firmly believe for every individual who thinks they are untouchable, there’s a hacker who knows more and is willing to throw it all away to prove a point.

[ungamedplayer]

Can't agree more.