From LinkedIn · · 1 min
An audit is not a bug hunt
Most serious production risk is not a broken thing. It is a permission someone granted years ago and nobody revisited. An audit maps trust, not bugs.
By Olha Shevchenko. Audits production systems on AWS and Node.js.
Most people think an audit is a search for bugs.
It is not.
The first thing I am trying to understand is what the system allows someone to do. Who can see data. Who can change it. Who can trigger actions. Who can act on behalf of someone else. And what assumptions make those permissions seem safe.
Many of the highest-risk findings are not bugs at all. The system is often working exactly as designed. That is the problem.
A lot of production risk lives inside assumptions nobody remembers making. Permissions granted years ago. Internal paths that became external. Trust relationships that were never revisited as the system grew. Capabilities that made perfect sense when the product had ten users and quietly became dangerous at ten thousand.
Nothing is broken. The system is faithfully executing the rules it was given.
That is why I spend less time looking for vulnerabilities than people expect, and more time looking for trust. Who trusts whom. Why. And what happens when that trust turns out to be misplaced.
The most expensive incidents do not start with a bug. They start with an assumption that survived longer than it should have.