[rst]

So they delegated security to a separate team, which only got to put "reinforced firewalls and IPS appliances" around an app which was still missing basic internal security checks. (And it's hard to see how firewalls could do the checks on their own, without access to the app's data stores or duplicating app logic -- either of which makes it no longer a firewall.)

Unfortunately, it's all too easy to get this kind of partial solution from a "security team" that's distinct from (and worse, sometimes hostile to) the team that actually develops the app.

[networkguy]

They aren't a full stack security team though and it's not fair to be putting any fault on Conosco; they are enterprise IT consulting and support and that's clear enough from a look on their website.

To be basic, a firewall does stateful inspection of inbound and outbound TCP/IP packets and an IPS guards against vulnerabilities with signatures; neither of which understand the applications logic --- there is nothing in off the shelf hardware/software that will prevent a shitty app from giving up the keys to the kingdom.

The firewall might block inbound connections to port 22 and the IPS might detect a SQL injection attack and stop it, but if you have an API that just gives up data you're screwed and that's precisely what happened. A legitimate request for information was made on legitimate ports, using legitimate protocols and as far as the hardware defense is concerned, everything is as expected -- the problem is the application.