← Back to Users
natetron's activity in the archive.
I am sure even MS rate-limits login attempts.
No they dont rate limit as that would be a DOS vector long before the bruteforced EoP vector
Is that a thing ?
WAF is only as good as the regex rules and quickly fall over if you have a non script kiddy playing with you. For example watch how many block sql injection of 'or 1=1' but miss 'or 2 not like 3'
Actually implementing the security dev lifecycle is a good starter. At minimum create some threat models and identifiy the attack vectors and targets.
Slashdot Mirror
I am sure even MS rate-limits login attempts.
No they dont rate limit as that would be a DOS vector long before the bruteforced EoP vector
Is that a thing ?
WAF is only as good as the regex rules and quickly fall over if you have a non script kiddy playing with you. For example watch how many block sql injection of 'or 1=1' but miss 'or 2 not like 3'
Actually implementing the security dev lifecycle is a good starter. At minimum create some threat models and identifiy the attack vectors and targets.