Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

And it's not really backed up unless you have a backup of the backup.



It's not really backed up if you haven't proven you can read the "backup".


Yep! I had a department head tell me that we shouldn't prioritize a fix for an SQL injection vulnerability (with full schema privileges!) for a critical system because we have a backup service. I then asked if we've tested it - Nope. I then asked if we had documentation on how to do it - Nope. I left that department as soon as I could.


Was there no concern about an attacker being able to -read- the contents, as well?


Not really. It was an internal application, which greatly reduced the risk. The type of information wouldn't be very useful to an attacker. The main problem is that there are developers and business people who also run some SQL and use the system. If they accidentally paste SQL into a search box, it will execute. They could drop tables or anything, even in PRD. If someone were disgruntled or an attacker gained access they could intentionally wipeout the database.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: