Exceptional piece of investigative journalism detailing the internal corporate fights to warn about a ticking bomb type of flaw "Golden SAML".
“Azure was the Wild West, just this constant race for features and functionality,”
“You will get a promotion because you released the next new shiny thing in Azure. You are not going to get a promotion because you fixed a bunch of security bugs.”
Product managers had little motivation to act fast, if at all, since compensation was tied to the release of new, revenue-generating products and features. That attitude was particularly pronounced in Azure product groups, former MSRC members said, because they were under pressure from Nadella to catch up to Amazon.
The ProPublica article reveals internal practices at Microsoft that prioritized new features over security for years, aiming to establish Azure as the leading cloud platform. This approach involved downplaying security issues, which enabled state actors to exploit these vulnerabilities. When Russian hackers breached SolarWinds' network management software, they did leverage post-exploit weaknesses, as the Golden SAML that Andrew was trying to warn about during years, to steal sensitive data and emails from the CLOUD.
Finally, these practices contributed to the Exchange compromise by Chinese actors, which eventually led to a highly critical report from the Cyber Safety Review Board.
Ref: https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers
No hay comentarios:
Publicar un comentario
Trata a los demás como te gustaría ser tratado.