[nnurmanov]

You have no idea how indifferent security officers can be-even when you point out critical issues. The other day, we flagged that a customer’s database had users with excessive privileges. Their only question: “Can this be exploited from the outside?”

No, but most breaches today come from compromised internal accounts that are then used to break everything.

[Foobar8568]

What's the problem to have local API connected in HTTP? We are within the enterprise network.

And that's how I passed for a annoying "PM". With half of the program management complaining that I was slowing down things until 6m later, the head of risk management told them to get lost.

[ethbr1]

> the head of risk management told them to get lost

That's why it's important to org-chart engineer for security, if a company is really serious.

[anal_reactor]

The problem with security is that often it's cheaper to deal with the bad outcome than to prevent it. Actually getting security right is very expensive because it requires virtually every engineer to have some security awareness, and engineers who can be trusted with that tend to be difficult to find. Meanwhile if you have a security incident you say "sorry", maybe you pay a small fine, and a month later everyone had already moved on.

[cogogo]

This misalignment is especially bad at startups. In my experience security is only prioritized when driven by the customer and is largely a performative box checking exercise.

[james_marks]

The answer is Yes, this can be exploited from the outside by taking over dev machines and using their access.

If you answer No and complain that it’s not taken seriously, it’s at least in part because you didn’t show the risk clearly.

[mar_makarov]

maybe a dumb idea , but maybe using some kind of one time token access would resolve ? some physical keycard would guarantee this to not happen at all right ?

[nnurmanov]

There is always a disgruntled employee:) They will do anything to do maximum harm