| ▲ | vips7L 3 days ago | |
>yes there are known CVEs, but is the server actually vulnerable? I ask this question every time some security guy scans my dependencies, they never can actually determine that and I'm forced to drop everything to fix it. | ||
| ▲ | 8organicbits 2 days ago | parent [-] | |
That's a good point. I'm a developer and security freelancer so I've been on both sides of that interaction. As a developer I usually update when there's a severe vulnerability in a dependency; checking if I am actually vulnerable would take longer. As a security contractor I've helped teams with some really out of date systems, often with several high severity CVEs. I typically (depending on contract terms) assess if the application is vulnerable, and if so, if there's evidence of compromise. I prefer establishing an update cadence versus fire drills. Security hygiene over heroics. | ||