I've done security reviews for a dozen companies. This sort of thing is startlingly common. Every single company I've reviewed is doing something that in retrospect should have been obvious.
I try to tell people: "You don't need AI security, you need a checklist."
Colonial Pipeline reused passwords, shared passwords, used the same password for all VPN users, failed to rotate it when people left. (that's 4 insanely basic violations of password security). ANY human who did a security review would have caught that. Even an intern who knew nothing and furiously googled "information security review" on the bus on the way in to kick off the review. (no disrespect to interns in over their heads, my point is they didn't prioritize security so they didn't get security)
Capital One used an admin privileged instance profile attached to a publicly accessible admin interface for a security tool (which tool, by the way, had no need of admin credentials). They were hit by an SSRF vuln and leaked their admin credentials. They also failed to alert of unexpected use of those credentials (try it, use of admin credentials is rare enough you won't have a lot of noise) failed to alert on large outbound connection (this one is subtle, but worth doing if you can figure it out)
Equifax failed to apply security updates regularly (just turn on automatic security updates. People suck at chores) Failed to deploy a SIEM, failed to conduct periodic security reviews, failed to put capable security people in place.
The above are not my clients, just public reports to illustrate that everyone can benefit from a security review to catch the obvious errors.
I try to tell people: "You don't need AI security, you need a checklist." Colonial Pipeline reused passwords, shared passwords, used the same password for all VPN users, failed to rotate it when people left. (that's 4 insanely basic violations of password security). ANY human who did a security review would have caught that. Even an intern who knew nothing and furiously googled "information security review" on the bus on the way in to kick off the review. (no disrespect to interns in over their heads, my point is they didn't prioritize security so they didn't get security)
Capital One used an admin privileged instance profile attached to a publicly accessible admin interface for a security tool (which tool, by the way, had no need of admin credentials). They were hit by an SSRF vuln and leaked their admin credentials. They also failed to alert of unexpected use of those credentials (try it, use of admin credentials is rare enough you won't have a lot of noise) failed to alert on large outbound connection (this one is subtle, but worth doing if you can figure it out)
Equifax failed to apply security updates regularly (just turn on automatic security updates. People suck at chores) Failed to deploy a SIEM, failed to conduct periodic security reviews, failed to put capable security people in place.
The above are not my clients, just public reports to illustrate that everyone can benefit from a security review to catch the obvious errors.