Administered by:
Currently dealing with our InfoSec people insisting that they need to full pen test a company we're buying a 50 quid, non-crit wordpress plugin off and I'm like:
"Lads no. Can you maybe pretend to be normal for five minutes."
@garius ahhhh but budget budget must find reasons to keep budget 
@garius ah yes. have had exactly the same experience in the past, not only that they seemed to think the company would jump through hoops to help with the testing and sign a contract and disclaimer to make the sale. I think it was a similar amount.
@garius I do see your point, but then when I was working at the FT, we had a whole stack of microsites that were Wordpress, and they were responsible for 95% of all the incidents on the place.
I suspect it’s a bit like when a doctor hears “a farmer has been admitted” a professorial Pavlovian reflex.
@secretbatcave @garius I agree with you @sectetbatcave and most cyber insurance would demand testing and audit regardless of what the plug in or software does. So I let infosec deal with infosec even if I don’t understand why. And for regulated company it’s even more important.
@PhilipKing @secretbatcave it wouldn't and doesn't.
It's a plugin on a server that is explicitly siloed due to the innate risk of being compromised precisely because it's Wordpress. A server on which personal data, corporately sensitive data, and operationally critical information is banned. We regularly audit to ensure this is true.
This was performative security because it refused to consider context. Which harms actual security by making people resent the process and cyber security team.
@garius “We don’t know what we are dealing with so we need to test everything” mentality. I hope you are able to work with them to get them focused on the right scope.
@blit32 key problem is their processes currently have no provision for 'accepted contextual risk'
i.e. it's for a site that doesn't hold PI, commercially sensitive or business critical info and is hosted on ENTIRELY separate hosting. Because if you're not treating a wordpress server like that then wtf to begin with.
@garius yup and in my experience that usually stems from a lack of understanding of the systems, their value, and their threat model; and also from a perspective that somehow we can achieve “complete” security on everything.