We are still living in 90s

As soon as I began reading this article, It immediately reminded me of a person I had to deal regarding a security audit.

I was working on a web application written in PHP/MySQL. We had to deploy it in a scalable infrastructure and with the kind of money being poured into marketing it, It was supposed to generate a lot of traffic. Which it did.

We were obviously concerned about the security too. We hired a company to do that for us. It was all good till the time the guy asked us to give them FTP details of the server. Asking for FTP details was still alright. Only our servers did not have FTP. Why? because we hosted it on Heroku. A scalable infrastructure, you know! Heroku, Cloudflare, S3 etc.

And if you know how Heroku works, It does not give you a static IP address. Instead you use a cname record. I had such a hard time explaining this to him and his the audit team.

I spent four days fighting with them and trying to explain them why it’s not possible and what infrastructure we are using. Once, I even bluntly dared them to break into the system if they can. Futile attempts.

Anyways, This is one of the responses I received from this guy:

We were trying to identify the IP address associated with this url required for performing the server pentest. We tried the nslookup command for identifying the IP associated mapped to this URL. However, we get a different IP address every time we use nslookup to find the IP.

Isn’t it how Heroku is supposed to work? I also shared few links from Heroku’s user guide, in an attempt to appease his confusion. He still did not listen or even agreed. All he wanted was the FTP access. No matter what.

I had to take a decision. Either fight with these guys, or move the servers. I decided to change the servers to AWS. I did that because we could not afford to delay the launch of the app.

But one thing is for sure, There are a lot of people still around living in their own la-la land of 90s. They don’t understand how technology moves and evolves. On top of that, these people are never ready to even learn or listen to you.

I agree, I succumbed to the circumstances. but I did learn a thing or two.

Published by

Neeraj Kumar

#technologist #musician #traveller

  • Shashank Kumar

    There are better security auditors out there who know how to do security audit for cloud applications. Controlcase is one I can personally recommend.