At my last job, I opened up Shodan in my free time and clicked through our ASN with the free filters. In two minutes I found multiple iDRACs online. Surprisingly, none had default pw. But one had a public exploit vuln that was years old allowing takeover...

Turns out during the firewall hardware migration years ago, several units firewalls were switched to audit mode (not enforcing rules). So an entire institute (health research!) had their whole subnet public with zero firewalls, both the server OS and iDRAC interfaces. iDRAC isn't even supposed to be on the same VLAN per Dell let alone on the internet.

To top it off, after making some tickets (admittedly not all as serious, ex MFP web UIs on internet) from Shodan, I got pushback from the firewall team for causing units to submit to many changes.

I also got in trouble with our Qualys analyst for undermining his work because he hadn't gotten to that units annual review yet, even though I didn't even have a Qualys login. (And even if I had found it there, since when do we wait for annual reviews to fix that?)

It took at least three weeks internally to get it fixed, and by that I mean only the iDRAC IP blocked with the server itself still wide open.

And that's only because I mentioned it to my manager (awesome guy and not formally responsible for firewall rules) after an unrelated no firewall host incident came through and he authorized an emergency rule.

They may be part of it, but as a publicly traded company, there's got to be a at least a few people there with a fancy pedigree (not that that actually means they are good at their job or care). But if such a test existed, they presumably would have passed it.

They also have an ISO 27001 certificate (they try to claim a bunch of AWSs certs by proxy on their security page, which is ironic as they say AWS stores most of their data while apparently all uploads are on this).

> should require some kind of genuine software engineering certification

Wouldn't change a thing, other than add another hassle you have to pay for to do your job.

This is the result of carelessness, not someone who didn't know that private data should be private because they weren't certified.

some kind of genuine software engineering certification

That only gives those in power another way to push people into toeing the line. There's enough corporate authoritarianism these days as it is already. Give Stallman's "Right to Read" a read. His dystopia is exactly where we're going to be headed quickly if we keep demanding someone to "do something".

"The optimal amount of fraud is nonzero."

"Those who give up freedom for security deserve neither."

I once worked in a company and noticed that customer financial statements were publicly accessible. Ran into the software team. And got the reply that no one told them that it should be behind authentication. Some people really don't use their own brains.

Teachers have to be licensed and keep up on licensing.

Plumbers. Electricians. Lawyers. Doctors. Hell, I have to get a license to run my own business.

Why shouldn't software come with a branch for licenses if you're working with sensitive data?

People at my company don't even lock their computer when they walk away from their desk. Which yeah it's in a controlled environment but still.

At least I'm sure LLM tools deploying code to production won't result in this happening more frequently. "Make sure it's secure. Make no mistakes."

good thing it's getting easier to code - nothing bad can come of this :-)

Unfortunately everything is going in the opposite direction.

We are in the age of AI-slop AI-everything AI-break-it AI-fix-it.

Software companies are competing with each other on how low they can push the quality and still get away with it.

There's no reward or incentive for paying attention to the details or the quality. In fact you will get penalised for it.