I can relate to a company not putting value on security, or thinking the cost of securing systems may be higher than the cost of getting hacked.
I once worked for a company where I inherited a RESTful API. It stored the company's core data, including private customer information. It had no authentication, completely open for anyone on the internet to read or update any of our data.
I alerted my manager about this and that made its way to the highest levels of the company. The decision was to create a backlog item. It took about a year before we got to it.
The reason we ended up finally fixing it was because we were contacted by a security researcher one day. He said he had found a vulnerability in our system, but wouldn't tell us what it was until we disclosed our bug-bounty terms (basically promising to pay him if he had found a real vulnerability). If we wouldn't do this, he was going to write a blog post about it.
My manager used some delay tactics to buy us some time, while we spent the next 24 hours slapping a bandaid on the API. Once we had fixed it and agreed to pay the researcher, he disclosed his vulnerability and it had nothing to do with our API. It was a minor XSS that couldn't leak any sensitive information.
I once worked for a company where I inherited a RESTful API. It stored the company's core data, including private customer information. It had no authentication, completely open for anyone on the internet to read or update any of our data.
I alerted my manager about this and that made its way to the highest levels of the company. The decision was to create a backlog item. It took about a year before we got to it.
The reason we ended up finally fixing it was because we were contacted by a security researcher one day. He said he had found a vulnerability in our system, but wouldn't tell us what it was until we disclosed our bug-bounty terms (basically promising to pay him if he had found a real vulnerability). If we wouldn't do this, he was going to write a blog post about it.
My manager used some delay tactics to buy us some time, while we spent the next 24 hours slapping a bandaid on the API. Once we had fixed it and agreed to pay the researcher, he disclosed his vulnerability and it had nothing to do with our API. It was a minor XSS that couldn't leak any sensitive information.