Trust but Verify approach

I have a feeling the answer to this is going to be "depends on the company" as is always the case, but I thought I'd gather input anyway.

I'm curious to know how common it is for an infosec/secops team to be auditing/verifying changes to infrastructure themselves. With the recent palo-alto vuln for example, we talked to the team that manages those devices about whether or not we're vulnerable. They checked and said we are not... and I figured that's good enough for us. But my boss said we need to be verifying patch levels and exposure ourselves.

Now to be clear, I don't think my boss is just being randomly mistrustful. Other teams we work with (granted w/more complex systems like fleets of linux hosts) have told us before some change or other was made to close vulnerabilities that weren't in fact done. But a lot of those types of systems are also easier to verify (due to agents or cloud-based tools that just require a glance at a dashboard for verification).

It seems to me that having to log into production devices to double-check what the responsible team said is true is not only extra work but kinda showing an extra level of mistrust + taking responsibility for something that we don't need to. (i.e. if something bad did happen and it's because that team said they were on version X but weren't really, is it really the infosec teams fault?)

The need for production access to all our firewalls/LBs/etc. also seems a bit concerning, though obviously we only need read-only, but I'm new enough to this field I just want to better understand typical best practices.

Anyhow, just curious to know what people think. submitted by /u/techaspirant
[link] [comments]


http://dlvr.it/T5dtGJ