undefined | Better HN

0 pointszamadatix2y ago0 comments

If the people you're paying to find weaknesses in the security system are assuredly never going to find a way to access internal data then how did you conclude you needed a pen tester in the first place? I mean, it's probably the right conclusion but only precisely because they'd find a way to access things they shouldn't be able to.

0 comments

debo_2y ago

It's relatively common to have pen testers attack a cloned environment w/ sanitized data. This is especially true in cases where your policies (or those you've agreed to from customers) require you to present evidence that you are having a pen test done every X years.

red-iron-pine2y ago

access to live data for testing is also a compliance question -- as in, don't do it, and why are you doing it?

why are you not using cloned or dummy data?

x0x02y ago

We spin up a clone of prod and point them at that.

Certainly if a weakness is found in the clone it's also present in prod, but that's what contracts are for. And we also review logs to make sure.

edit: a clone of prod w/ only test data in it, not prod data.

randomdata2y ago

How do you know what you are looking for in the logs?

If you have the foresight to be able to recognize a malicious action from the logs, why not have the software block those actions from the start?

x0x02y ago

We log all accesses and flows. So eg if our pentesters found a vulnerability in an endpoint, we can retrieve every post against that endpoint and (1) verify the pentesters didn't exploit it against prod, and (2) verify that it hasn't been exploited by anyone else.

1 more reply

mkii2y ago

It could have been for a service that was not in production yet, and in an isolated environment.

j / k navigate · click thread line to collapse

0 comments

debo_2y ago

red-iron-pine2y ago

access to live data for testing is also a compliance question -- as in, don't do it, and why are you doing it?

why are you not using cloned or dummy data?

x0x02y ago

We spin up a clone of prod and point them at that.

Certainly if a weakness is found in the clone it's also present in prod, but that's what contracts are for. And we also review logs to make sure.

edit: a clone of prod w/ only test data in it, not prod data.

randomdata2y ago

How do you know what you are looking for in the logs?

If you have the foresight to be able to recognize a malicious action from the logs, why not have the software block those actions from the start?

x0x02y ago

1 more reply

mkii2y ago

It could have been for a service that was not in production yet, and in an isolated environment.

j / k navigate · click thread line to collapse