| ▲ | cluckindan 5 hours ago | |
If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53. If they haven’t, it would be ethically dubious for you to not report it. | ||
| ▲ | jacquesm 8 minutes ago | parent | next [-] | |
In theory there is no difference between theory and practice, but in practice there is. > If they haven’t, it would be ethically dubious for you to not report it. I can report all I want, someone needs to act on that report for it to have an effect. There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit. | ||
| ▲ | drw85 an hour ago | parent | prev | next [-] | |
In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy. | ||
| ▲ | DamonHD an hour ago | parent | prev [-] | |
These were all multinationals, with very significant US presence. | ||