Posted by EatonZ 6 days ago
Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.
In most cases, security and QA are essentially two sides of the same coin - and this is why I get pissed when devs treat testing and QA as bulls**t, becuase even a relatively simple XSS attack or cred misconfig can have a massive impact.
I would say they need to 'think like an attacker' at least some of the time. But this is still too high of a bar.
I think this is really a problem of rewarding people when they finish things. One way or the other. It works, so on to the next project...
Shift-left was supposed to fix that but it failed because the primary persona to sell ended up becoming the CISO again, and not trying to find a way to make security ownership a Dev and QA responsibility as well (this is largely organizational).
A good QA can catch/test such security issues although most of such work is given to a dedicated pen tester to find weakness in the platform.
You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.
I worked for them a little bit and their product is really impressive and works great.