@maaretp What's the goal of the security testing? It can be useful to get a baseline that you can then work to improve
Conversation
Notices
-
Embed this notice
Jonathan Yu (jawnsy@mastodon.social)'s status on Tuesday, 27-Aug-2024 03:49:54 JST Jonathan Yu -
Embed this notice
Paul Cantrell (inthehands@hachyderm.io)'s status on Tuesday, 27-Aug-2024 03:49:54 JST Paul Cantrell @jawnsy @maaretp
One of the deep problems with security is that (unlike performance, say) it’s not really directly measurable, except in hindsight. You’re managing •unknown• problems and not just •known• ones.Thus the best chance of answering the question “How secure is this system?” is to look at systemic factors that create risk (e.g. maintenance process, delivery cadence, tool choices, internal incentives) and not just the specific flaws a security test would uncover.
-
Embed this notice
Maaret Pyhäjärvi (maaretp@mas.to)'s status on Tuesday, 27-Aug-2024 03:49:55 JST Maaret Pyhäjärvi The obsession to test for security feels misplaced when you see a system where dependencies are not updated, developers have little ideas about designs leading to vulnerabilities in the choice of language and deployments are driven by fast convenience over thoughtful trust perimeters. It’s peculiar how testing is the first thing after mild awareness.
-
Embed this notice