Andrew Tierney inviting penetration testers to detail their most titillating stories\n\nRecently @cybergibbons, a security professional that I follow on Twitter asked his fellow industry colleagues to detail their worst experiences with clients when performing commissioned penetration tests. The responses provided by him and others in his field have been really EYE-OPENING, and show just how arsey (British 🇬🇧) organisations can get when their security flaws are exposed and still be documented in writing. I thoroughly recommend checking this thread out for some popcorn 🍿 munching drama 🤣. The responses included:\n\nDismissing Important findings as "out of scope"\n\nBeing told to not report things due to company politics 😒\n\nBeing refused access to infrastructure after finding serious vulnerabilities\n\nBeing forced to write about TERRIBLE architecture whilst supervised by a senior point of contact to ensure the content was to their liking (i.e. covered up)\n\nIt truly fascinating to read such insights, and it goes to show how many organisations are happy to tell you how seriously they take privacy and security, but when it comes down to it would rather develop systems where security hasn't been considered and hide any vulnerabilities that are inevitably found. This can be the result of ONLY thinking about security AFTER a system has been developed and NOT considering it throughout. Because development can be expensive, and any security fixes suggested towards the END (i.e. close to deployment/roll-out) can add significant extra costs and project delays, some organisations opt to take the easy way out. In other cases, some organisations simply don't care about security, and would rather cut corners and use corporate platitudes in press releases.\n\nDesigning your systems with security in mind is the optimal way of balancing cost with preventing security incidents. Yes it can add increase day-to-day overheads, but in the long run it saves SO MUCH as any suggestions later on will likely be small changes. Leaving security until the end of a project increases the likelihood of MAJOR architectural changes being required, which are HUGELY expensive. If you care about keeping your data safe and secure, then consider security throughout your project lifecycle and don't just tack it on at the end.\n\nBarbed wire and cameras to keep the bad people out after considering security\n\nAs an aside, I've been following @cybergibbons ever since he blew the lid wide open on vulnerabilities within the Tapplock IoT "SMART" lock. I recommend that developers of systems should follow the accounts of the people who make a living from breaching infrastructure to get an appreciation of how they do what they do. I also suggest going through the excellent Secure Coding Practices and Top 10 Vulnerabilities published by the Open Web Application Security Project (OWASP) to give you a stronger understanding of how to protect against attacks.\n\nThis Fingerprint-Verified Padlock is Extremely Easy to Hack\n\nTwitter (@cybergibbons): Andrew Tierney\n\nTwitter (@viss): Dan Tentler\n\nOWASP: Secure Coding Practices\n\nOWASP: Top 10 Project\n\nTake care and all the best. Si.