Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
I have the greatest respect for good sec-ops people.
I have nothing but malcontent for idiots who impose "security best practices" on engineers when they themselves don't even understand WTF it is they're asking to do.
It boggles my mind how far confidence and absurdity will get you in the security field because, "they're only trying to make sure our clients are safe"
When you're a hardcore web developer, the only 'action' you .get() is when you're writing a login form scraper...
User: If we use Oauth2, can we audit exactly where this data is going and who sends it there, and in addition cam we audit who grabs that data from the Authenticating app and make sure it doesn't violate our requirements?
Me: No
User: Why not?
Me: Because thats like asking us to audit whether or not a user accessed files and then uploaded them to their personal drive instead of corporate. We don't mandate that application owners take responsibility for their data outside of their application, why would we require that in this case???
User: Uhhhhh
FFS the lack of understanding of application accounts here boggles my mind. I understand that the security concerns are real but throwing out all permissible contexts based on a mandate that we dont even apply to extremely permissive accounts (i.e. users compared to apps) is folly
rant
least privilege
oauth