User: If we use Oauth2, can we audit exactly where this data is going and who sends it there, and in addition cam we audit who grabs that data from the Authenticating app and make sure it doesn't violate our requirements?

Me: No

User: Why not?

Me: Because thats like asking us to audit whether or not a user accessed files and then uploaded them to their personal drive instead of corporate. We don't mandate that application owners take responsibility for their data outside of their application, why would we require that in this case???

User: Uhhhhh

FFS the lack of understanding of application accounts here boggles my mind. I understand that the security concerns are real but throwing out all permissible contexts based on a mandate that we dont even apply to extremely permissive accounts (i.e. users compared to apps) is folly

  • 4
    I have the greatest respect for good sec-ops people.

    I have nothing but malcontent for idiots who impose "security best practices" on engineers when they themselves don't even understand WTF it is they're asking to do.

    It boggles my mind how far confidence and absurdity will get you in the security field because, "they're only trying to make sure our clients are safe"
Add Comment