SwiftOnSecurityDec 5, 2022
Microsoft seeing people use their products with the default settings they ship to customers
Show threadKostcheiDec 30, 2022
@SwiftOnSecurity a year+ ago I did azure security training, provided by Microsoft, in singapore, to folks they knew were security professionals ...
And every session of the multi-week epic involved setting up resources groups, servers, storage and users with credentials or settings that were just plain insecure. "we'll just do X- you wouldn't do this in production but for training purposes we'll do this quick work around" every time, every exercise.
"here's an rdp link" " copy this password" "open this to internet so we can X"
Teach / train /ship by default.. the way you want people to use it-- this must be, securely. Anything else is an abomination, a taint on the future... /rantoff
Show threadDave DustinDec 30, 2022

@kostchei @SwiftOnSecurity Preach it.

I once proposed a training course about how to secure SQL Server to the point stoneage mindset auditors couldn't find a fault.

Better part of a week required if we made them do labs properly.

Nope, was made to cut it down to half-day of training, and two half-day of labs (second one optional for juniors)

Show threadsailingbikeruk
@venzann bet they still claim to “take your security seriously” though 😔
Dec 30, 2022 at 7:50amWeb