WingNews logo WingNews
top | item 39637080

(no title)

S201 | 2 years ago

> right in front of ultra short timeouts everywhere

> If only I could meet the people who make these decisions in person...

For what it's worth, I was once forced to implement a half hour auto-logout on a website that could hardly be considered as containing sensitive data because an external pentest firm flagged the lack of a short timeout as an issue. The only way we could show clients a passing pentest was to comply with all of the findings. We all knew it was stupid but management gave us no choice but to implement it.

discuss

order

BLKNSLVR|2 years ago

You must have had your shit pretty tight for the pen-tester to have to scrape that from the bottom of the barrel.

vidarh|2 years ago

Sometimes they will just be excessive because nobody applies any kind of critical thinking and/or because they favour looking like they find a lot over any kind of precision. I once had a site where they insisted on disabling ping responses for the website, citing it as a serious security concern. Because surely nobody would otherwise know that the very public website was there.

I replied with listing a number of websites of security focused organisations whose websites responded to ping, including assorted security services, military, and the pentesting company's own website.

(I didn't object to them querying what actually responded to the ICMP requests - none of them made it past the firewall, which is what replied and revealed nothing of our internal infra - I objected to them ignoring that answer and still insisting it revealed things it demonstrably didn't, and that lack of understanding was consistent through their report)

erhaetherth|2 years ago

Hah..you just reminded of me of something I implemented at my old company. We had a similarly short timeout, so I put in a 'heartbeat' that would refresh the timeout if you move your mouse or do anything.

Nifty3929|2 years ago

"management gave us no choice" - Would you have done differently?

"The only way we could show clients a passing pentest..."

cnity|2 years ago

Push back on the pentest firm and explain reasoning, rather than bubbling pointless requirements to the engineers.