back to article It's Shodan embarrassing: Red-faced Rubrik blames public-facing DB on developer ballsup

Rubrik has fingered one of its developers after a database packed with customer information was left exposed. Security researcher Oliver Hough spotted the database, which apparently was not protected by a password. Rubrik shut the door after it was informed of the breach earlier this week. The firm told The Register that the …

  1. Alister

    "I think the lesson is that you can never leave configuration up to humans.

    No, the lesson is, don't expect developers to be good sysadmins - or vice-versa. Security should be done by somebody competent in the field, just as development should be.

    "The real lesson... is that by turning security into code, it can be built, tested, and managed in a completely automated fashion. To the maximum extent possible we have to get the humans out of the loop.

    And what a fucking nightmare that would be, if security was left up to automation.

    1. iron Silver badge

      That and devs should never have access to real customer data. If this database had been anonymized or mocked data there would have been no problems with posting it online with no password.

      I keep telling people in my work this but other than my dev team no one listens or cares.

      1. m0rt

        I care...

      2. defiler

        I agree 100%. It's a dev sandbox - it should have dev data. Properly redacted test data. People make mistakes, and sometimes the door is left open. But with actual, live data there would have been a few pairs of eyes checking it over. In this case one person was careless, but shouldn't have had that data.

        Also, for those saying security should be automated, that just means that all systems will have exactly the same weaknesses...

  2. Anonymous Coward

    Rubrik has fingered one of its developers


  3. Doctor Syntax Silver badge

    "I think the lesson is that you can never leave configuration up to humans."

    Another lesson is that you use dummy data for development and test. And also, of course, doing development on a public cloud is an opportunity to make your mistakes bigger.

  4. AndrueC Silver badge

    I bet they aren't foolproof.

  5. Omgwtfbbqtime


    Was hoping for some link to System Shock given the mention of Shodan.


    1. Chris King

      Re: Disappointed

      “Look at you, hacker: a pathetic creature of meat and bone, panting and sweating as you run through my corridors. How can you challenge a perfect, immortal machine ?”

      I take it you know about the reboot ?

  6. csecguy44

    Quite a statement

    "We have confirmed that no customer-owned data was exposed."

    Hmm... there was customer data, and there was a door left wide open. Does the "-owned" sound a bit of a fine twist in the statement?

    1. Chris King

      Re: Quite a statement

      Oh, it wasn't "exposed". The intruders just sneaked off with it.

    2. mg2003

      Re: Quite a statement

      Likely "owned" is a distinction that a GDPR case will clear up!

  7. Tom 38

    Insecure by default

    ElasticSearch, SOLR, redis, MongoDB, probably many more.. - too many products ship with OOTB settings as insecure. Try that with any traditional database like postgres or mariadb, you have to do things to make them insecure.

  8. Anonymous Coward
    Anonymous Coward

    The irony here is that they tout their security chops - even bragging that they are the GOLD AWARD winner in the security (huh?) category. See their blog and ironic photo here:

    You care so much about security yet don't practice what you preach. Not surprised about this "do-as-I-say, not-as-I-do" company

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like