[S201]

> right in front of ultra short timeouts everywhere

> If only I could meet the people who make these decisions in person...

For what it's worth, I was once forced to implement a half hour auto-logout on a website that could hardly be considered as containing sensitive data because an external pentest firm flagged the lack of a short timeout as an issue. The only way we could show clients a passing pentest was to comply with all of the findings. We all knew it was stupid but management gave us no choice but to implement it.

[BLKNSLVR]

You must have had your shit pretty tight for the pen-tester to have to scrape that from the bottom of the barrel.

[vidarh]

Sometimes they will just be excessive because nobody applies any kind of critical thinking and/or because they favour looking like they find a lot over any kind of precision. I once had a site where they insisted on disabling ping responses for the website, citing it as a serious security concern. Because surely nobody would otherwise know that the very public website was there.

I replied with listing a number of websites of security focused organisations whose websites responded to ping, including assorted security services, military, and the pentesting company's own website.

(I didn't object to them querying what actually responded to the ICMP requests - none of them made it past the firewall, which is what replied and revealed nothing of our internal infra - I objected to them ignoring that answer and still insisting it revealed things it demonstrably didn't, and that lack of understanding was consistent through their report)

[IgorPartola]

I mean at that point isn’t the pushback “hey Management, this pentester is clearly incompetent. We need a new one.”?

[vidarh]

Yes, but with the problem that the pentester had been hired by our client and our client was a multibillion budget quasi-governmental organisation (transit authority) that was not inclined to listen because that'd involve mid-level managers sticking their necks out when they didn't need to and didn't know who was right.

So we did the British thing and went for a lot of passive-aggressive "oh, but how come it's ok for the CIA and your own website?" etc. to force them on the defensive and demonstrate that a lot of what they did was basically ticking pointless boxes.

We did manage to carve out some willingness in the client organisation to ignore bits and pieces as we clearly increased our credibility relative to the pen testers, but it was a massive pain.

[erhaetherth]

Hah..you just reminded of me of something I implemented at my old company. We had a similarly short timeout, so I put in a 'heartbeat' that would refresh the timeout if you move your mouse or do anything.

[Nifty3929]

"management gave us no choice" - Would you have done differently?

"The only way we could show clients a passing pentest..."

[cnity]

Push back on the pentest firm and explain reasoning, rather than bubbling pointless requirements to the engineers.

[Kalium]

That might work if your company hired the pen testers, it's a lot less likely to work if they were hired by a client. In the latter case, the overhead of all the required explanation and smoothing of ruffled feathers for the client likely costs a lot more than implementing the stupid timeout in the first place.

Pen testers are often very resistant to pushback. They get it a lot, and usually on things that are real concerns.

[cnity]

Good points.