29
this post was submitted on 21 Aug 2023
29 points (100.0% liked)
Programming
17397 readers
170 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities [email protected]
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Oh, yeah, I had forgotten about this kind of attack.
Do you think this is a concern if the calls are only meant to be done in an internal network?
The modern way of thinking about security of internal networks is to assume there is no such thing (marketing term: Zero Trust).
I'd consider it a concern if I was in your shoes, yes. Mostly for the reasons jflorez mentioned.
Major security breaches wherein an attacker gained has access to an internal, private network happen not infrequently. Target (the retail chain) leaked a ton of their customers' credit card to attackers over the course of (IIRC) months. The attackers couldn't have done it (at least not in the way they did) without first breaching Target's private corporate network.
Never underestimate the risk of an attack coming from the inside.
Also once you have an implementation with a certain kind of authentication other devs are likely to copy what you have successfully deployed and then your security assumptions will make it into public facing code without much consideration