[DyslexicAtheist]

"tell me what outgoing ports the application needs" is what results in blank stares the most. its embarrassingly basic, but maybe it has something to do with "senior" devs only being on the job for mere 5-8 years. that is the amount of time good cybersec people spend on understanding security after a decade in dev (or in ops).

[rescbr]

Ohh! I’ve been at the other side of this discussion.

It usually goes like:

“What are the outgoing ports?” “1024-65535, I mean, the app is using X language’s standard library to make an HTTPS request.”

“What are the IPs we have to whitelist?” “You can either allow app.example.com or take AWS’s IP range JSON file and allow all of those, we don’t control what IP gets assigned to AWS’s API Gateway service”

Then some cloud provider’s SA/SE gets looped in to say the same stuff to the security team.

Some exec then gets escalated and approves this as a risk.

Tale as old as time.

[camgunz]

Yeah, OS firewalls have limited use in the modern app stack. It's not just HTTP(S), you've got cache and database in there too. If any ops person asked me this question I'd take it as a bad sign. Like, you're worried about exfil on an application by application basis in your prod deployment, which I assume is all VPC'd and not SSHable? There are better ways to spend your time.