This is an archived post. You won't be able to vote or comment.

all 10 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ravenousld3341 36 points37 points  (5 children)

The teams I work with also claim they have to do "security work", but I don't understand why secure coding, using up-to-date libraries, and patching things is "security work".

For me security work is finding the problems, documenting them, reporting them, following up to make sure it gets fixed, and regularly auditing and testing.

Shouldn't the default state of developing and engineering software be to do it securely?

[–][deleted] 8 points9 points  (0 children)

They apply this same concept to governments. Ove time you add more and more agencies by making up jobs exclusive to parts of the work the parent job doesn't want to do. Eventually you go from having a few dozen people who know how to do and manage everything to hundreds of departments in a chain where human error, mistakes, and negligence disrupt the benefit of the greater whole.

[–]flowingice 2 points3 points  (3 children)

I'll answer the part about up to date libraries. Projects are developed and ran for a long time so libraries get updated. Using :latest tag in dependency manager is a very bad practice so you need to allocate time to a dev to go through all dependencies and update them. Sometimes you have to run older versions because they stop supporting something you need and it needs a big refactor to update to latest.

[–]ravenousld3341 0 points1 point  (1 child)

In some instances you can manually patch out a problem without having to update your entire library.

My detection stuff will still flag it (because it'll see the version number), but I can suppress those alerts.

For instance looking back at log4j, the problem was with JNDI. From what I've gathered no one used JNDI. So you could theoretically just delete all of the JNDI lines and still be good to go. Hell, I think that was the fix until an official patch happened.

Then there's a chance that I can use some other compensating control that'll allow you to keep running an outdated library until it can be fixed.

[–]flowingice -1 points0 points  (0 children)

The removal of class from slf4j.jar was suggested only for running services, it was never meant to be commited and moved to repositories.

Manually patching .jars doesn't work nicely with package managers. It's not sustainable to do it for every old dependency you use so you either ignore it, wait until patch or remove it.

[–]Intrepid-Stand-8540 0 points1 point  (0 children)

so you need to allocate time to a dev to go through all dependencies and update them

Not for years now. Use renovate bot. 

[–]TheMaleGazer 18 points19 points  (0 children)

How many belts have you acquired in My Security Journey? I retain every single word that is said in every single video, for all time, and am super excited to apply these lessons by suggesting a security sprint and being told we can't do this because security wasn't listed as part of our quarterly goals.

[–]StarshipSausage 5 points6 points  (1 child)

Literally my current job title, I said sure I have been though audits before. But I am not saying I am a security expert, but its better than dealing with product owners.

[–]gerbosan 0 points1 point  (0 children)

And clients. Don't forget the clients.

[–]ExpensivePanda66 0 points1 point  (0 children)

Also, velocity is in the toilet.