Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
PaperTrail9443167dNot only do we use+enable Swagger in production, my mgr requested I create a 'back door' in my authentication service to create an Admin JWT security token so he can authenticate communication between services without having to worry about Active Directory permissions.
Me: "This doesn't seem secure"
Mgr: "Nah...it'll be fine. We'll lock down the authentication at the load balancer so no one but ServerA and ServerB can use that endpoint."
I was sure to document the request+changes as I'm sure someone, someday will say "OMG...what the frack is this?!!!!"
PaperTrail9443166d@IntrusionCM > "I am feeling very concerned"
Its good, or bad, or sad, we have precedence for that sort of thing. Our credit card services endpoints are locked down so that the only way anyone could access them is physically being on the machine and hitting localhost (and it can't 'see' anything on the outside world).
We've had a number of PCI audits it hasn't thrown any red flags and at least 3 attempted breaches/cyber-attacks (all failed).
That said, a still, small voice is saying to me 'cover your ass, document everything!'
I'm very sensitive when one ones to rip open an security hole with the reasoning "we close it in the load balancer"...
Cause that means that whenever one "circumvents" the load balancer the hole is plain open.
Yeah. As long as you don't do that it's okay...
... but then it shall never be forgotten - and that can be a problem XD