|
|
|
|
|
|
by Veserv
977 days ago
|
|
|
Counter argument, prove that Okta does any of those things to any meaningful degree. They are responsible for guarding the authentication to literally billions of dollars of assets. They are a prime target for organized crime who can field teams of tens to hundreds of hackers and state actors who can field teams of thousands for years. The recent Ceasar's attack had a 15 M$ payout, which means it would have been profitable to spend 5-10 M$ of hacking resources to pull off that attack. Okta is a much juicier target. They need to have security adequate to defeat a attack with 10 M$ of funding at a bare minimum. So yeah, show me a red team exercise with 10 M$ of funding, they get a 30 person hacking team and 1 year fulltime, that failed to find any vulnerabilities and failed to gain access to any sensitive data, then we can talk about if they provided evidence of adequate security. I bet all they have is what everybody else has which is red team exercises that had 3 people for a month that reported 27 serious vulnerabilities, then another red team exercise that found a different 23 vulnerabilities, then another, then another, then another, always finding new ones because their systems are actually at the 100 K$ quality level. Those exercises do provide evidence and confidence in their security, you can be extremely confident their systems are grossly inadequate for their threat landscape. I have not looked, but the same can almost certainly be said about their certifications, audits, etc. since the gold standard that everyone aspires to is, when looked at objectively, grossly inadequate. |
|
|
So that they never have to pay it. Up to them to decide how to upskill their red team now.
Barring such a bug bounty, there is no way to trust them.