Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is not a vulnerability, you literally pay for this feature. I really don't want to defend Crowdstrike but HN keeps making it hard not to.


Storing secrets in unsecured environments in plaintext is literally a vulnerability.

One of the most famous examples can be seen in the NSA slide at the top of this article:

https://www.washingtonpost.com/world/national-security/nsa-i...


the security tools' storage system is always considered a secured environment.


Without even having to secure it?


Yes, but also No.

So there's this thing called "Threat model" and it includes some assumptions about some moving parts of the infra, and it very often includes assertion that a particular environment (like IDS log, signing infra surrounding HSM etc.) is "secure" (they mean outside of the scope of that particular threat model). So it often gets papered over, and it takes some reflex to say "hey, how we will secure that other part". There needs to be some conciousnes about it, because it's not part of this model under discussuon, so not part of the agenda of this meeting...

And it gets lost.

That's how shit happens in compliance-oriented security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: