57

Data scientist: we need to whitelist a pod to connect to a database
Me: Whitelist? We don't use whitelists on private databases
DS: It's the new data warehouse database
Me: is it on <X> VPC?
DS: I'm not sure what that means but its ip is <real world ipv4>
Me: Are you hosting a publicly accessible database with all our end users information?!
DS: ...
Me: There goes our SOC2 audit controls...
DS: how long until you can white list it?
Me: I won't be whitelisting it. You need to put it on a private VPC and peer with the cluster, you'll have to rebuild all the Terraform and redeploy
DS: We didn't use Terraform because it takes too long, just white list the pods IP.
Me: No. I'm contacting the CISO and CTO...

Comments
  • 43
    Btw, the database credentials they were using... postgres:postgres

    RIP
  • 5
    Please note that I'm not trying to shit on you.

    If you seem to be responsible for this stuff, why, in the first place, they were allowed to try to interface with infrastructure in the first place, much less deploy their own infrastructure.

    I mean, I get shortcuts are taken, but if you are preoccupied with certifications, maybe this is a valid concern?
  • 5
    I guess CTO didn't get a chance to look into your concern
  • 13
    @CoreFusionX oh that's easy. I'm the new hire!

    I'm not in charge of this stuff per say, but I replaced another DevOps (honestly just ops) guy who didn't think of these things.

    This is a client's infrastructure, and they've gotten the client in trouble with SOC2 audits in the past and are on their last leg.
  • 5
    @lungdart hooooleeesheit!

    Who fucking does that?! Like seriously, where would one do that?

    There's so many places to host it, so like what URL?
  • 5
    @sariel it's totally safe, you're not whitelisted!
  • 6
    👍 for contacting the CTO

    It’s sometimes not about shaming individual teams but to make the higher ups realise that they need to clarify that even if teams feel stressed out over time constraints: the business would rather have the deadline fail than to cut corners with security like this

    Besides a lacking respect for security some teams might feel they lack authority to say no when stakeholders demand a tight deadline, and will cut every corner to appease their supposed overlords
  • 6
    @jiraTicket bingo.

    I've noticed many engineers are too shy to say no, and try to work all night to get it done, and still fail

    If it's not happening by the deadline, the sooner people know the better
  • 5
    @lungdart default credentials? neat!!

    And what's the IP they used?
  • 9
    @netikras 127.0.0.1 of course
  • 2
    @netikras don't worry it's safe. The IP was given by AWS, and they wouldn't compromise us with a bad IP! /s
  • 1
    @alexbrooklyn or was it 127.1 instead :D you know to save characters or smth
  • 2
    if only more people in IT would use their brain like you did there
  • 1
    Here is thing about experience, one is experience QAaqin maintaining (supporting app) and one is creating ( migration, projects) , people learn more on the later one.
  • 0
    Datascientists are like monkeys with grenades...
  • 0
  • 0
    @topsecret230
    Gee, thanks.
    *pling, click*
  • 0
    Update, I quit the job. That place was garbage.
  • 0
  • 0
    Ffs has Kiki made a new account with the user name topsecret230 ?!
  • 0
    Smart Contract Audit Company helped me identify a critical flaw in my smart contract that could have led to a major security breach. Your team was quick to respond and provided me with a comprehensive report that allowed me to make the necessary changes. I am grateful for their expertise and highly recommend their services https://definme.com/ to anyone looking to secure their smart contract.
Add Comment