I've been through a handful of SOC2 audits and they've never asked us to _prove_ that we aren't storing passwords in plaintext or with reversible encryption (we weren't).
replyThis is why so much of vetting & compliance is toothless. You can have robust change management, physical security, network security, identity management, etc. policies but absolutely nobody wants to spend enough on audit & enforcement to make them meaningful.
The gov't will make you _claim_ that you do all of these things before awarding a contract, but they won't ever check.
Good actors will do the right thing regardless because they know the consequences of cutting corners.
See: the entire existence of Delve https://www.iansresearch.com/resources/all-blogs/post/securi...
replyI'm pretty shocked as well. I thought every company stopped doing this like 20 years ago? Even for a legacy system that is a long time to continue storing credentials like that.
reply20 years is rookie numbers in these systems. I guarantee it’s been at least 40 years since a single fuck was given.
replyMy wife works in IT at a mid sized city. They still store credentials in source control.
reply