I am a app developer and working with another software group at my MEGACOMPANY.

Question

I am a app developer and working with another software group at my MEGACOMPANY. Said group wants to put confidential information on the internet and they are very happy with their authentication system which just blocks that content from our normal customers based on IP address.

I have already cracked their system yet the bosses at MEGACOMPANY tell me that I can crack any system so me getting into the content doesn't equate to a security issue (please giggle a little).

I am asking for SSO authentication as we have on 99% of our sites. They want to keep current system for a variety of reasons. How secure do you believe this site to be? Also are there methods that robots or joe-average-instigator would use to gain access to the information?

Explanation / Answer

If you have shown the stakeholders the risk and they have decided to accept the risk as "not likely", then the decision is out of your hands. You need to continue to educate, educate, educate, but you need to understand that it is management's job to manage the costs and risks to the company. InfoSec's job is to serve the company, even if the decisions the company makes is not "best practice".

Your job now, because you understand the threat, is to come up with ways to mitigate the risk that you identified and present that plan to the stakeholders. "If someone like me were to want to get the data, they would to X, and this is how we can mitigate that breach."

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.