Conversation

Notices

1. Embed this notice
   Jonathan Yu (jawnsy@mastodon.social)'s status on Tuesday, 27-Aug-2024 03:49:54 JST Jonathan Yu

   in reply to

   • Maaret Pyhäjärvi

   @maaretp What's the goal of the security testing? It can be useful to get a baseline that you can then work to improve

   • Embed this notice
     Paul Cantrell (inthehands@hachyderm.io)'s status on Tuesday, 27-Aug-2024 03:49:54 JST Paul Cantrell

     in reply to

     • Maaret Pyhäjärvi

     @jawnsy @maaretp
     One of the deep problems with security is that (unlike performance, say) it’s not really directly measurable, except in hindsight. You’re managing •unknown• problems and not just •known• ones.

     Thus the best chance of answering the question “How secure is this system?” is to look at systemic factors that create risk (e.g. maintenance process, delivery cadence, tool choices, internal incentives) and not just the specific flaws a security test would uncover.

   • Embed this notice
     Maaret Pyhäjärvi (maaretp@mas.to)'s status on Tuesday, 27-Aug-2024 03:49:55 JST Maaret Pyhäjärvi

     The obsession to test for security feels misplaced when you see a system where dependencies are not updated, developers have little ideas about designs leading to vulnerabilities in the choice of language and deployments are driven by fast convenience over thoughtful trust perimeters. It’s peculiar how testing is the first thing after mild awareness.