undefined | Better HN

0 pointsf00_8y ago0 comments

>defend against DDoS but not sanitizing user input

>calling a pentested a script kiddie

welp, my work is done here

0 comments

2 comments · 1 top-level

e1g8y ago· 1 in thread

I wrote "script kiddie" as a way to describe the relative complexity of this attack vector - I was highly impressed with the pentest process, and think it's one of the smartest things we did this quarter.

Filtering user inputs is security 101, yet we missed this while focusing on fancy defense mechanics. This large gap between what the engineering team prepared for, and how they were exposed, is what made the outcome "embarrassing" - hence I agreed with GP that CSV/Excel stuff could be a blind spot even for well-trained people.

f00_OP8y ago

for sure, I think i'm just sensitive to the use of script kiddie haha

Atleast you're thinking about it, company I work for definitely prioritizes freedom over security if you know what i mean

j / k navigate · click thread line to collapse