zlacker

I feel this. Recently implemented a very trivial “otp to sign an electronic document” function in our app.

Security heard “otp” and forced us through a 2 month security/architecture review process for this sign-off feature that we built with COTs libraries in a single sprint.

>>dfsego+(OP)
Oh I know that feeling. We got in hot water because the codes were 6 digits long and security decided we needed to make them eight digits.

We pushed back and initially they agreed with us and gave us an exception, but about a year later some compliance audit told them it was no longer acceptable and we had to change it ASAP. About a year after that they told us it needed to be ten characters alphanumeric and we did a find and replace in the code base for "verification code" and "otp" and called them verification strings, and security went away.

>>dfsego+(OP)
To be fair, I would also be alarmed, albeit not by OTP. "sign an electronic document" and "built with COTs libraries in a single sprint" is essentially begging for a security review. Signatures and their verification are non-trivial, case in point: >>42590307

>>smarx0+Q7
Nobody said you shouldn’t do any due diligence. But 1 sprint vs 2 months of review really smells like ‘processes over people’. ;)

>>talkin+pl
A more positive view would be that the security team may have had different priorities to the product team.

>>normie+my
Two months of review after the work would be a lot more useful than before.

>>malfis+y7
Heh. We also got treated to the digit thing. That topic alone was about 30 mins of mtg. time with a vp of eng and 2 seniors in the mtg.