My boss just came to me and demanded that we drop the first layer of security from our new servers so that the snake oil salesmen he used can open test it. I did try to explain that you don't remove security to test security.

Maybe you already did but try to explain security in layers, like an union layer

One layer by itself is fragile, you could crush it with one hand easily, and it will expire fast

While the whole union is strong (try to crush an union using a single hand...) It also won't expire as fast as it whould have being cut in half

@incognito onion?

@neriald Omg 😅 yeah I meant onion... Sorry 😓

Someone tried that on me once. I just said "Ah, the first layer is obscuring our ports and endpoints, so here's details of the ports and endpoints."

They weren't obscured, they were publicly documented. Seemed to work though.

If you have a professional pentester, it is not uncommon to give him temporary administrative privileges, so he can explore your systems from the inside, while leaving the external facing systems as they are - of course it depends on the service you are paying for, as those whitebox audits aren't usually that cheap.

What is uncommon, is to dismantle security of public facing systems, as they are (duh!) accessible from the public.

@sbiewald this one of those automatic script type of pentesting and I am being asked to allow it on a public facing site. To make matters worse last week the same boss told me I couldn't use my mission script which is on a non internet accessible machine to send files by SSH and https because it didn't sound secure to him.

@curlybraces maybe he's trying to check if he can destroy the stones using the stones.😝

When we did pen test, we needed to ask Azure to disable their security mesures for the duration of the test.