Fire your devops team.

  • 7
    Maybe I want to join the "we bone line"
  • 2
  • 1
  • 3
    Is it some kind of administrative page perhaps? Does it require authentication or is its administrative content publicly visible without authentication? Generally I prefer hiding administrative stuff within a VPN, but leaving it open to the public internet - with proper authentication in place - seems to be a reasonable thing to do. After all, it'd be quite the pain in the ass to get each one of your administrators (especially if there's many) credentials for your VPN server. Same thing with port knocking etc.

    In a lot of ways, secure authentication is a lot more solid than making it inaccessible until certain criteria are met. Ideally you'd do both, but it makes sense to omit the part of making the service itself invisible to the public internet. That does not necessarily make it insecure in any way. What's more, the idea of hiding services away might incentivize some to go with the principle of "security by obscurity" which is far worse.
  • 0
Add Comment