zlacker

Checklist security at it's finest.

My team where I work is responsible for sending frivolous newsletters via email and sms to over a million employees. We use an OTP for employees to verify they gave us the right email/phone number to send them to. Security sees "email/sms" and "OTP" and therefor, tickets us at the highest "must respond in 15 minutes" priority ticket every time an employee complains about having lost access to an email or phone number.

Doesn't matter that we're not sending anything sensitive. Doesn't matter that we're a team of 4 managing more than a million data points. Every time we push back security either completely ignores us and escalates to higher management, or they send us a policy document about security practices for communication channels that can be used to send OTP codes.

Security wields their checklist like a cudgel.

Meanwhile, our bug bounty program, someone found a dev had opened a globally accessible instance of the dev employee portal with sensitive information and reported it. Security wasn't auditing for those, since it's not on their checklist.

replies(4): >>dfsego+81 >>plagia+df >>throwa+1x1 >>Kerbon+Jj6

>>malfis+(OP)
I feel this. Recently implemented a very trivial “otp to sign an electronic document” function in our app.

Security heard “otp” and forced us through a 2 month security/architecture review process for this sign-off feature that we built with COTs libraries in a single sprint.

replies(2): >>malfis+G8 >>smarx0+Y8

>>dfsego+81
Oh I know that feeling. We got in hot water because the codes were 6 digits long and security decided we needed to make them eight digits.

We pushed back and initially they agreed with us and gave us an exception, but about a year later some compliance audit told them it was no longer acceptable and we had to change it ASAP. About a year after that they told us it needed to be ten characters alphanumeric and we did a find and replace in the code base for "verification code" and "otp" and called them verification strings, and security went away.

replies(1): >>dfsego+iu4

>>dfsego+81
To be fair, I would also be alarmed, albeit not by OTP. "sign an electronic document" and "built with COTs libraries in a single sprint" is essentially begging for a security review. Signatures and their verification are non-trivial, case in point: >>42590307

replies(1): >>talkin+xm

>>malfis+(OP)
I have had to sit through "education" that boiled down to "don't ship your private keys in the production app." Someone needed to tick some security training checkbox, and I drew the short straw.

>>smarx0+Y8
Nobody said you shouldn’t do any due diligence. But 1 sprint vs 2 months of review really smells like ‘processes over people’. ;)

replies(1): >>normie+uz

>>talkin+xm
A more positive view would be that the security team may have had different priorities to the product team.

replies(1): >>robert+L71

>>normie+uz
Two months of review after the work would be a lot more useful than before.

>>malfis+(OP)

    > My team where I work is responsible for sending frivolous newsletters via email and sms to over a million employees.

"frivolous newsletters" -- Thank you for your honesty!

Real question: One million employees!? Even Foxconn doesn't have one million employees. That leaves only Amazon and Walmart according to this link: https://www.statista.com/statistics/264671/top-50-companies-...

replies(1): >>joseda+s42

>>throwa+1x1
To a million employees doesn't necessarily mean they're from the same company

They might be a third party service for companies to send mail to _their_ employees

>>malfis+G8
Heh. We also got treated to the digit thing. That topic alone was about 30 mins of mtg. time with a vp of eng and 2 seniors in the mtg.

>>malfis+(OP)
Stop calling it a OTP and call it a temporary PIN :)