The obsession to test for security feels misplaced when you see a system where dependencies are not updated, developers have little ideas about designs leading to vulnerabilities in the choice of language and deployments are driven by fast convenience ...
-
The obsession to test for security feels misplaced when you see a system where dependencies are not updated, developers have little ideas about designs leading to vulnerabilities in the choice of language and deployments are driven by fast convenience over thoughtful trust perimeters. It’s peculiar how testing is the first thing after mild awareness.
-
@maaretp What's the goal of the security testing? It can be useful to get a baseline that you can then work to improve
-
@jawnsy @maaretp
One of the deep problems with security is that (unlike performance, say) it’s not really directly measurable, except in hindsight. You’re managing •unknown• problems and not just •known• ones.Thus the best chance of answering the question “How secure is this system?” is to look at systemic factors that create risk (e.g. maintenance process, delivery cadence, tool choices, internal incentives) and not just the specific flaws a security test would uncover.