They probably rely on network segmentation to keep the various components separated. If they consider the segmentation to be 100% effective, there'd be no need to do the kind of in-depth testing you advocate. I don't think it's justifiable to assume that segmentation doesn't have its own bugs that could be exploited.
Yeah, that seems to be what their attitude is. I have a couple of major issues with that though.
1. Relying on segmentation to protect vulnerable components is not a reasonable standard operating procedure. Segmentation is supposed to be an additional layer of protection, you’re also supposed to secure individual components.
2. It seems as though the researcher believed there may have been a way to bypass some of the segmentation (the segmentation between the medium-sensitive network and the highly-sensitive network). The article kinda implies that they didn’t test that layer of segmentation, that they only tested the most external layer (the segmentation between the non-sensitive network and the medium-sensitive network).
The whole response comes across as dismissive spin, that they hope will be consumed by people who don’t have a particularly sophisticated understanding of network/application security.
reply