👏

we pass all our black-box pentests, but that's not the same as saying we don't have vulns. i really enjoyed listening to @lvh, and i'm eager to engage with his company the way they think it should work. we benefit from Datomic in a nice way here - a very common source of security issues is just simply bypassed (sql injections). I don't want to be complacent, though. so i'm keen to talk about this pretty much continuously 🙂

Regarding pen-tests, we have them so that we can check the box in enterprise sales. To be somewhat more confident, we use HackerOne, which is a hacker-as-a-service, where hackers (as much as I dislike calling them that, since they’re really crackers, but that battle is lost) continuously try to find vulnerabilities in our app, and are paid rather handsomely when they do. We see that the hackers invest quite a bit of time to learn our app, and they find much more interesting stuff than what the regular pen-tests do.

It’s also interesting to see how their findings have changed over time. Ardoq is an old app, and pre-dates react, so in our older code we had quite a few xss vulnerabilities. All new dev is done in react, and in combination with putting in place CSP, we’ve basically eliminated XSS. Which is good.

nice. i'm keen to check HackerOne out

logbot should always have its buddy zulip-mirror-bot with it 🙂

Thanks!

We're kind of unusual in that we implemented our own OAuth2 setup, so we have an auth server and a login server and separate APIs that use the tokens from the auth server. Although we also support login via Facebook.