At one former gig “security architect” and ciso didnt even flinch when okta got breached the first time. They still happily migrated to it with much fanfare since it helped them tick a compliance box
This is a naive take. Okta solves both security and non-security problems.
If they keep undermining the 'security' bits they will 100% get ditched. Assuming there is a credible alternative. But I'd argue there isn't a credible alternative at the moment (on either the security or non-security front).
If you listed all of the 'security forward' SaaS companies you can think of. I guarantee 3/4 use Okta. I also bet all would be keen to switch as soon as an alternative was reasonably 2x better on either the 'security' or 'non-security' fronts. Even given the massive pain in the bum it would be to migrate. No one loves Okta or their sales team.
The dumbest guidance your security architect could have given was "Okta got hacked by actors that don't care about us. We should move to ${SOLUTION} that is objectively worse for users and probably worse for security"
> If they keep undermining the 'security' bits they will 100% get ditched.
No they won’t. This is my point - the ‘security’ bit isnt even on the radar of 3/4 of those companies. Compliance is
We were using a different solution at that point and planning a move TO okta. It wasn’t just about the fact it was hacked (happens to the best of us) but how they got hacked, how they found out and how they responded all of which made immediately clear what a nightmare it was/is
First, Okta should get credit for publicly acknowledging the compromise.
Second, expecting any company or organization to never get hacked is unrealistic. Organizations which are transparent and acknowledge their security breaches should get credit for it. Organizations which cover things up should be avoided.
Third, no one knows how to build secure software or services. The closest anyone has gotten is Open BSD but it can still be hacked once you install software on it.
Forth, the number of publicly acknowledged breaches does not tell us anything about Okta’s security. Here is why:
- We do not know how many breaches each authentication provider has had
- We do not know how many breaches were never detected by the authentication provider
- We do not know why the breaches occurred. Breach causes can range from gross incompetence to “WOW, that attacker was really clever and found a new class of security bugs”.
- We do not know how Okta responded to the breach. We also don’t know how its competitors respond to their breaches.
My main point is security is hard and measuring security is also hard. We cannot use simple metrics to determine if an organization is a good organization or a bad one.
>First, Okta should get credit for publicly acknowledging the compromise.
"In early October 2023, Okta was notified of a breach resulting in hackers stealing HTTP access tokens from Okra's support platform by BeyondTrust. Okta CTO Charlotte Wylie denied the incident for a number of weeks, but later recognized that a breach had occurred"
If you cover up security incidents you are facing some actual jail time not just civic suits. Look at what happened with former uber ciso for example of this [0]
I think this was likely a case of a TA getting in with legitimate creds that they obtained from an outside source. How can that be stopped? Happens every day. As someone said earlier - scrub your HAR files and don't leave sensitive data out there. I don't see that this was much of a compromise of a system in that the TA likely got in with legit creds. Where these creds came from is the bigger question.
I get it, I think what is really the egregious part is that they had the power to stop this two weeks prior and instead sat on the disclosure, didn't deal with the security issue, and then their inaction forced their client to act. Luckily CF has resources to detect and deal with this. Most of us probably do not.
This contains a lot of assumptions. Think of this in another context. How many reports do you think HR gets about a breach of company policy? Tons. They have to investigate each one to determine if a policy was actually broken, if the reporter is telling the truth, and what the scope of impact the policy breach had. Meanwhile the offender can continue to keep breaking policy. Now imagine you are an HR Services company managing HR for thousands of companies....Point is it takes time to investigate and validate. Imagine the disruption if they took each report as true on face value.
I would also suggest that each of the companies that publicly posted have something to gain from doing so. We also don't know if they are telling the full story. Using the "we told okta on X date" as assuming that starts the clock on okta not disclosing a breach to the public is a pretty ridiculous take.
We still don't know the full circumstances of how this happened and Okta has not yet publicly commented on their side of this story. Presumably because the investigation is ongoing. But reading the details in the cloudfare post, access for the breach stopped on the 18th and okta told customers on the 19th. Is okta supposed to alert customers of every single report of a breach, every report that might have some credibility, etc...? Maybe there are process improvements to be made in the review process, but we have no visibility into the current level of effort they are making.
Meanwhile, other companies have had known issues for months/years (keyword is KNOWN) before disclosing. I don't want to be a victim of this more than anyone else, but I think we need to be more reasonable in our "hot takes" to these situations even if we are calling for continued improvement.
It’s true. Look at the number of security bugs in Android, iOS, Windows, Linux, Oracle, DB2, SQL Server, PostGre, MySQL, Nginx, Apache, Cisco routers, Intel chips, AMD chips, etc.
The security bugs are not there because of incompetence or stupidity. They are there because security is really hard and it is even harder to get every software engineer to care about security.
If the best organizations in the industry make security mistakes, what makes you think the rest don’t either?
Reality is often unpleasant. It is better to acknowledge it than to pretend it does not exist.
Again, security is important for all of those products, but unlike all of them, Okta has exactly one job.
Perfect security is impossible, but better than 50% odds of never getting critically compromised are reasonable to expect.
If their security is not good enough, their value quickly becomes negative. Not only are they already a gigantic target and a single point of failure, but by being visibly bad at security they are standing in the spotlight with "hack me" on their back.
What kind of argument is this? Sometimes, there are serious bugs in widely used products. So therefore shit vendors should get a pass when their 10 year old Apache instance gets owned? Because "security is hard, mkay"? No! It depends on the compromise.
(If Okta was zero-dayed, IMO we'd have heard about it. Great way to shift blame.)
You can't say they all make mistakes and equate them. How frequent and severe are the incidents? How sophisticated does the attacker have to be to exploit these bugs? After reading all this I'm not inclined to consider Okta.
The tone of this is fine. What isn't fine is that Cloudflare isn't dropping Okta. I might consider dropping Okta.