| ▲ | BrenBarn 6 hours ago | |||||||
> The practical problem with this is that many large organizations have a security/infosec team that mandates a "zero CVE" posture for all software. The solution is to fire those teams. | ||||||||
| ▲ | acdha 4 hours ago | parent | next [-] | |||||||
This isn’t a serious response. Even if you had the clout to do that, you’d then own having to deal with the underlying pressure which lead them to require that in the first place. It’s rare that this is someone waking up in the morning and deciding to be insufferable, although you can’t rule that out in infosec, but they’re usually responding to requirements added by customers, auditors needed to get some kind of compliance status, etc. What you should do instead is talk with them about SLAs and validation. For example, commit to patching CRITICAL within x days, HIGH with y, etc. but also have a process where those can be cancelled if the bug can be shown not to be exploitable in your environment. Your CISO should be talking about the risk of supply chain attacks and outages caused by rushed updates, too, since the latter are pretty common. | ||||||||
| ▲ | IcyWindows 4 hours ago | parent | prev | next [-] | |||||||
Aren't some of these government regulations for cloud, etc.? | ||||||||
| ▲ | bumblehean 5 hours ago | parent | prev [-] | |||||||
Sure I'll go suggest that to my C-suite lol | ||||||||
| ||||||||