I used to think I was special: someone who comes in and discovers these ugly pockets of pus. The kind that with a single poke and they burst creating a very ugly problem.
In talking to other people high up on the technical side I realized it is a norm. The only question is if what I call "velocity of awesomeness of the product" makes the warts less important.
> After that I as a consultant get access to the network and apart from some test that a developer stood up nothing matches the glossy talk.
Or in my case recently... someone has generated a root certificate for the internal CA that uses an insecure crypto scheme, and Chrome still throws up a security error requiring users to click past the warnings to access the site.
"Can you generate and roll out a new cert please? This isn't really 'security'?"
"Oh we will get to it, can you just use the one you already have?"
I agree that many shops don't work this way, but they absolutely should. Anyone not developing a good defense-in-depth strategy, and just assuming that their edge firewalls will take care of them... well, they're one step away from a break-in and a data breach.
Our industry needs to do better, and not brush off good security as "glossy marketing talk".
I'll just say I work at a large SF unicorn where we do this. We're not at 100% (getting anything to 100% when you're big enough is impossible), but the vast majority of everything is behind TLS 1.2 with unique certificates per server/app pair.
We're hoping to use SPIFFE/SPIRE to bring adoption even higher.
After that I as a consultant get access to the network and apart from some test that a developer stood up nothing matches the glossy talk.
Thanks god for Wireguard. It has truly been the savior deploying encrypted networks.