While undergoing few interviews in the past few months I realised why we get so many breaches and issues in the industry. With so many qualified security professionals the obvious question to ask is:
"How is it possible with so many CISSP's, CISM's, CISA's etc. that almost every week we hear about new breach, new security issue and so on?"
Not trying to diminish the value of the certifications just pointing out on something that no certification will teach - imagination and thinking outside of the box.
During the interview with one well-known company SVP of security have asked me:
"So when would you use SAML instead of Oauth?"
I answered to the best of my ability and in the end pointed out that SAML is somewhat heavier with all SOAP message exchanges etc. and somewhat old protocol.
The question itself didn't make sense as SAML is used with Oauth in some cases :)
They can complement each other.
Then I asked question of my own:
"Is there an API Gateway in your architectural landscape?"
He laughed and said that there is no need as they don't expose their web services.
I froze a bit and from this point on tried to understand how I would fit into that organisation.
Do I have to drive to him that SAML is an exchange of XML messages just like web services are.
SOAP over HTTP :)
API Gateway or XML firewall as it is sometimes called absolute requirement to protect against fragmented XML messages and other nasty attacks.
Will that particular SVP know how to protect his company infrastructure?
I guess he will be SLAMed by SAML :)
"How is it possible with so many CISSP's, CISM's, CISA's etc. that almost every week we hear about new breach, new security issue and so on?"
Not trying to diminish the value of the certifications just pointing out on something that no certification will teach - imagination and thinking outside of the box.
During the interview with one well-known company SVP of security have asked me:
"So when would you use SAML instead of Oauth?"
I answered to the best of my ability and in the end pointed out that SAML is somewhat heavier with all SOAP message exchanges etc. and somewhat old protocol.
The question itself didn't make sense as SAML is used with Oauth in some cases :)
They can complement each other.
Then I asked question of my own:
"Is there an API Gateway in your architectural landscape?"
He laughed and said that there is no need as they don't expose their web services.
I froze a bit and from this point on tried to understand how I would fit into that organisation.
Do I have to drive to him that SAML is an exchange of XML messages just like web services are.
SOAP over HTTP :)
API Gateway or XML firewall as it is sometimes called absolute requirement to protect against fragmented XML messages and other nasty attacks.
Will that particular SVP know how to protect his company infrastructure?
I guess he will be SLAMed by SAML :)
Comments
Post a Comment