← Insights·Infrastructure Security

The Forgotten Server Is the Real Risk

May 31, 2026·2 min read

Comparison of two sides of the same IT environment. On the left, a 'managed core systems' panel in teal shows five well-maintained assets, firewall, servers, cloud, VPN, and backup, each card carrying owner, patched, and monitored check marks, with a footer 'asset inventory · documented · owned'. In the center, a small 'meanwhile...' label. On the right, a 'forgotten systems' panel in amber shows five quietly neglected assets, old server, test that became production, legacy NAS, camera system, legacy app, each card decorated with cobwebs and amber warning pills for no owner, no patch, outdated OS, open firewall rule, no monitoring, and old passwords, with a footer 'attackers love these'. Below, an 'asset hygiene · make the forgotten visible' strip lists six equally weighted actions: discover, assign owner, document, patch, monitor, remove unused.

Every company has the systems everyone talks about, the firewall, the main servers, the cloud, the VPN, the backup platform. The real risk usually lives somewhere else: the old server nobody wants to touch, the test machine that became production, the legacy NAS, the camera system with an ancient password, the application that still works but has no owner. The problem is rarely technology. It is ownership.

Every company has systems that everyone knows about.

The firewall.
The main servers.
The cloud environment.
The VPN.
The backup platform.

But the real risk is often somewhere else.

The old server nobody wants to touch.
The test machine that became production.
The NAS that was installed years ago.
The camera system with an old password.
The application that still works, but nobody owns anymore.

These systems are dangerous because they are forgotten.

They may not be patched.
They may not be monitored.
They may still have open firewall rules.
They may use old accounts, weak passwords, or outdated software.

Attackers love systems like this because they are quiet, exposed, and usually not watched closely.

The problem is not always technology.

The problem is ownership.

Good security starts with knowing what you have.

Find the forgotten systems.
Document them.
Patch them.
Monitor them.
Remove what is no longer needed.

The biggest risk is not always the system you see every day.

Sometimes, it is the one everyone forgot.

// related reading

API security with backend validation diagram. On the left, an untrusted client panel showing a browser UI with a hidden DELETE button, a disabled ROLE field, and the URL /api/tickets/42 with the 42 underlined as 'attacker changes this', plus four amber pills indicating client-side manipulation: changed ID, modified payload, direct API call, bypassed UI. Amber arrows representing manipulated requests flow into the right panel, a backend pipeline labeled THE REAL ENFORCER. The pipeline runs each request through six teal gates top to bottom: AUTH (is the user logged in?), AUTHORIZATION (can this user do this action?), OBJECT-LEVEL AUTHZ (can this user access this record?), INPUT VALIDATION (does this payload make sense?), RATE LIMIT (is this request too frequent?), LOG + MONITOR (should this be recorded?), exiting into an APPROVED REQUEST arrow, with a side branch from OBJECT-LEVEL AUTHZ to an amber 403 · DENIED pill, and a callout noting every request is treated as possibly manipulated. Below, a strip of seven equally weighted controls: backend-side validation, object-level authorization, input sanitization, rate limiting, clear error handling, logging plus monitoring, and abuse protection, with a small tag reading 'frontend helps · backend enforces'.

Infrastructure Security

API Security: Do Not Trust the Client

The frontend can hide buttons, disable fields, and guide the user through the right flow, but anything that comes from the client can be changed. Attackers swap IDs in URLs, edit payloads, call the API directly, and bypass the UI completely. Real security lives in the backend: authentication, authorization, object-level access checks, input validation, rate limits, and logging on every request, because every request is treated as possibly manipulated.

Read article

Certificate expiration risk diagram. On the left, a CERTIFICATES EVERYWHERE panel showing ten services that quietly depend on a valid certificate, website, API, VPN, load balancer, mail, internal services, Kubernetes ingress, monitoring, identity, and integrations, with two services (WEBSITE and IDENTITY) flagged in amber as EXPIRES SOON, and a footer pill reading 'all depend on a valid cert'. On the right, an amber-bordered WHEN A CERT EXPIRES panel listing the immediate impact: users cannot log in, APIs fail, browser security warnings appear, automations break, integrations stop, customers lose access, with a footer note 'and all it took was a missed date'. Below, a CERTIFICATE LIFECYCLE strip with seven equally weighted controls: inventory, ownership, expiration monitoring, alerts, renewal process, automation, and post-renewal testing.

Infrastructure Security

Certificate Expiration Is Still Taking Systems Down

An expired certificate is one of the simplest, most preventable outages, and it still keeps happening. The fix is not heroics on renewal day. It is treating certificates like production assets: a real inventory, a clear owner, monitored expirations, alerts, a renewal process, automation where possible, and post-renewal testing so the change does not break something downstream.

Read article

Back to all insights