| ▲ | lloydatkinson 4 hours ago | |
> Had some slack discussions with security about how their need for a green metric on patch deployment time doesn't entitle them to introduce a fire hazard to my personal residence... How did this part go down? I'm just curious because it reeks of entitlement and security theatre on their part. It reminds me of an incident I had once at an old job, surprise surprise security related, where a moronic decision had been made by the combined DevOps and security team (putting aside how a separate DevOps team is a bad idea). They had decided to use some "dependency security scanner" and if it found ANY, it would immediately disable the CI/CD build pipeline for that repository. 1) This could happen at any point within minutes/hours of some CVE being published. It would frequently block deployments. 2) It could not/would not take into account developer tooling vulnerabilities. Oh, your CSS library has a string DDOS vulnerability, where if someone makes a ginormous CSS file, the library will crash? 3) The CSS library does not reach a users machine, and is run once, at build time. Either it passes and deploys, or it fails and does not deploy. Therefore, it was probably not even justifiably a CVE to begin with, but more importantly, we now cannot deploy. https://old.reddit.com/r/cybersecurity/comments/1622xia/cve2... 4) The build pipeline would be disabled for ANY type of vulnerability regardless of impact. Even low ratings. 5) Because this security ~~scam~~software did not care about nuance like that, we could not even deploy hotfixes, critical production fixes, bug fixes, or anything. 6) Because it would disable the pipeline within minutes of a CVE, there was never a fix or a newer version to upgrade a dependency to. We had to wait days or sometimes weeks for a new version to be released. This lasted a couple of months before they were forced to remove all this crap. | ||
| ▲ | lovich 3 hours ago | parent [-] | |
Did this software happen to rhyme with Veracode? I won’t make the claim that it can’t be set up and configured in a way that’s useful, but I will make the claim that I’ve never run into an instance where it was and have wasted more time than I want to remember dealing with similar issues to what you described | ||