Security team keeps breaking our CI/CD

[-]

Budget-Consequence17@reddit

rushing so here’s the deal, your CI/CD’s clogged with all those vulnerability scans, maybe it’s time to simplify base images. heard Minimus cuts out most known CVEs and feeds you threat intelligence too, so scans run faster and you’re not stuck on old openssl drama. swapping base images can clean up a bunch of pipeline errors with almost no workflow hassle, really helps keep the production flow moving. some teams also layer security checks differently to avoid clusterfail. anyway, focus energy on issues that actually matter. real threats, not just compliance paperwork.

Reply

[-]

Luke_corner94@reddit

your team needs to shift left and automate smarter, not harder. start with minimus base images to cut your noise so youre not chasing 3 year old vulns. also get exploit context on findings so you're not fixing theoretical issues while real threats slip right through. that scan everything approach is basically garbage from years ago

Reply

[-]

danokazooi@reddit

As the guy who gets F'ed in the B on cyber security compliance for DoD; anyone using containers with 3 yr old vulns, exposed or not, and can't be bothered by the phrase: PATCH UR SHIT! doesn't get to play on my networks, and I have enough sway with management to make that happen. And I don't run the scans - I make you run the scans, and I have an external group, usually from the NSA, who's red teaming. And they are frickin merciless.

Reply

[-]

Far-Smile-2800@reddit

put the app behind cloudflare so they have lots of difficulty running bots on it

Reply

[-]

Far-Smile-2800@reddit

create another pipeline without their bs and don’t tell them about it. let them continue with the old one.

Reply

[-]

CanYouShowMeTheError@reddit

“3-year-old OpenSSL version that’s not even exposed.” Are you ignorant or do you just not care? You need to go take a course or multiple courses on zero trust architecture.

Reply

[-]

Separate_Forever_123@reddit

Totally agree on scanning earlier, saves time and headaches later

Reply

[-]

Unlucky-Work3678@reddit

Usually when this happens, one of the director of software and director of security must go. Or the company goes

Reply

[-]

Chvxt3r@reddit

If SSH isn't exposed than why is it there? Also, these scans should be done much earlier in the pipeline.

Reply

[-]

badaz06@reddit

Why is there a 3 year old openssl version out there to begin with? Is it in use or just left there because no one bothered to clean it up? Are there vulnerabilities associated with it, and do you read all the Security vulnerabilities that are released and see if they apply to you and your tools? {Here are the answers} (I don't know. Probably. Not sure, I don't read those things because it's not my job and I don't have time) I get that there has to be a happy marriage between IT SEC and the rest of the world, and I push hard for that, but that doesn't mean you don't have to clean your own stuff up. Most impactful exposures come from things that "aren't exposed" to the outside, because the bad guys get on the inside, scan for tools or files, find them and abuse them. Your security is only as good as your weakest link, and getting past people is typically fairly easy to do, which is why there are things like AV, conditional access and MFA policies, geo-location blocks, etc. As far as the people complaining about hitting non-prod systems, not every dev is diligent enough to copy only the files required from QA to Dev...some are lazy and just copy everything. Maybe every dev person reading this opinion is a shining example of how to write and implement code with security in mind, but IRL there are those more concerned with getting their programs to run and considering any security ramifications of what they're doing is like 4 or 5 steps down the list, if at all.

Reply

[-]

TheRealLambardi@reddit

Umm manage your containers better..honestly. Most registries can tell you this ahead of time. Btw having a 3 year old vuln stopping a pipeline isn’t “breaking the pipeline” that’s old stuff that should have been caught earlier. My point, push your security team to spend the time shifting the testing father left so you catch it at dev time not deploy time. In the OpenSSL bug…it’s rare for decent size companies to have all sorts of networks connecting into their network that the org doesn’t know about so “not exposed” many times isn’t actually “not exposed” But challange the sec team to flag these earlier bit later.

Reply

[-]

Yupsec@reddit

Yeah, I'm confused why everyone is blaming Security for this. The pipeline IS broken but not because stuff is getting scanned. It's broken because Devs can bypass it. Don't even get me started on OP's exasperation over a 3-year old OpenSSL version getting flagged. What even....

Reply

[-]

TheRealLambardi@reddit

I had an internal dev tell me. The internal customer didn’t put in requirements we needed to update the underlying OS of the container. Me: “it’s in your annual training and requirements spelled out by risk, timeline and environment base expectations” Dev: “it was not in the requirements written by the internal customer so it’s not my job” Had an external dev company try the same thing until I pointed out they are paid in successful delivery which is running in prod and the specific security requirements you complaining about are literally written and spelled out in the contract SOW terms. They got mad…then got really mad when I pointed out that HyperCare included updates for 3 months and payment was not due until all sec vulnerabilities (this is base CVE stuff not even fancy code standards) were complete so they are in the hook to watch the repos for new ones. Got real when they tried to weasel out and I went and got a quote from a competitor to do the updates and handed it to them with a 20% markup for me to manage. I said I will let you out of the sow security requirements for the equivalent cost since it’s the part you want to not deliver on. I’m super flexible on sows and bend over backwards as things change and I’m happy to CO for stuff that is in us but when you want out and full payment for something that was clearly spelled out only because your engineers failed to read and just don’t want to…that’s when I get difficult.

Reply

[-]

TheRealLambardi@reddit

I’ve been on both sides and lack of communication and base expectations (both being said and heard) is usually the issue. That said I’ve seen dev teams download and deploy things into production they have zero clue what they are, take images and run them in prod with zero clue of what they are and no process to check them. It’s negligent in my opinion. It’s not a hard requirement to both say out loud and follow. Both sides of this fail at it sometimes. “Though shall not deploy software with critical and high security vulnerabilities.” Hot take: for those accountable for patching, your containers should be getting patched monthly in same cadence as your regular servers. Technical steps are different…the underlying fundamentals are not. If you’re not your org may be missing a lot.

Reply

[-]

yankdevil@reddit

One of the benefits of Go is that containers contain a bunch of root certificates and a single binary. Not much to scan there.

Reply

[-]

Ssakaa@reddit

Not much to scan *there*, but you still have an entire dependency graph in your go.mod files to scan on... and identifying issues there, before the build, can save a lot off problems down the line.

Reply

[-]

yankdevil@reddit

We use renovate to keep dependencies up to date. I just finished some changes that will allow projects that meet certain criteria to automerge renovate changes and deploy to our dev cluster automatically. Folks still need to merge manually to staging and production, but a good chunk of work is removed.

Reply

[-]

txstubby@reddit

Perhaps a stupid question, but why aren't these scans running in the lower environments (dev, qa, just, test etc ) it's much better to find and remediate issues before you get to a prod deployment.

Reply

[-]

ansibleloop@reddit

Yeah we were doing this too - we were uselessly scanning PRs and wasting scans Now we only scan on the develop and master branches

Reply

[-]

Ssakaa@reddit

So you don't want to validate that security issues aren't being introduced *before* code is merged in? The PR is the best time to scan to *prevent* introducing problems into the "real" code. > and wasting scans ... what products are you using that, of all things, *that* is how you measure it?

Reply

[-]

ansibleloop@reddit

It goes into another test env so it's fine We have a free scan limit - it's something shit I need to fix

Reply

[-]

R_X_R@reddit

The majority of these “security guys” are so terrified of everything, simply because they don’t understand it. This is what causes the insane over reach.

Reply

[-]

Ssakaa@reddit

They also know if they don't give a hard line to most devs, the response of the devs is to ignore security and push more features... because that's what the leadership over the devs push them on, rate them on, and reward them on. The only way they get the devs attention is to hit their bottom line. Now, in OP's case, initially introducing the tools in a way that scans and notifies *without* blocking the PRs *and* giving a timeframe like "in 1 month, these will switch to requiring supervisor approvals to continue to merge if they have findings at or above medium, and in 2 months they'll require security approval to continue to merge if they have highs or criticals. Here's the process to clean up false positives." would be a crapload better, but... given OP's tone, I'm not sure their environment's particularly promising on even handling that well.

Reply

[-]

pizzacake15@reddit

It's called a "shift left" in cybersecurity where you integrate scanning of vulnerabilities during development or prior to deploying to environments. OP mentioned CI/CD so i'm assuming they are triggering vulnerability scans when they build the app.

Reply

[-]

Lethalspartan76@reddit

Also that ssl issue should really be fixed. Don’t use old versions if you can help it

Reply

[-]

Fun_Olive_6968@reddit

that's the point he's making, it was fixed in a subsequent layer but their scanner is dumb and flags it - as a wild guess i think they are using Snyk to scan containers.

Reply

[-]

Hunter_Holding@reddit

Should be "fixed" when the container's created or refreshed and never flag on .... a 3 year \*old\* version somehow.

Reply

[-]

Lethalspartan76@reddit

But do they have a scanner that checks the scanners? Lol I agree it’s a mess. Have definitely seen a customer do that where I say “fix this process so it’s more secure” and they just get another scanner…

Reply

[-]

k_marts@reddit

lol what non-prod ![gif](giphy|l3fQf1OEAq0iri9RC|downsized)

Reply

[-]

R_X_R@reddit

OH. AY! Pipeline like that you get a free bowl of soup! Oh. But it looks good on you!

Reply

[-]

BeanBagKing@reddit

Everyone has a test environment. Some people are lucky enough to also have a prod environment.

Reply

[-]

ozzie286@reddit

What makes you think they aren't running on lower environments? OP said "devs are pushing directly to prod", which makes me think that it's the steps before getting to prod that aren't working properly.

Reply

[-]

NeverDocument@reddit

Also - a lot of these tools these days integrate into IDEs and throw errors WHILE YOU'RE CODING, which for our good devs helps a ton, for our lesser devs they don't know what to do.

Reply

[-]

svv1tch@reddit

My guess is it's all environments with a lack of understanding from the security team on how this pipeline works.

Reply

[-]

NetInfused@reddit

Thisssssss ia the right question to be asked!!!

Reply

[-]

DoctorHathaway@reddit

100%! Why are you getting vulns/errors pushing to prod that didn’t come up beforehand?!

Reply

[-]

NetInfused@reddit

"We test in production" 🤠

Reply

[-]

Sieran@reddit

My infosec is having me disable remote shell on windows to disable winRM, and they told me RDP is next... How the fuck do I log into a virtual windows server then to do anything? Cant remotely by powershell. Can't RDP. What the fuck do I do? RED QUALYS X BAD! RISK SCORE 3 BAD! REMEDIATEREMEDIATEREMEDIATE!!!

Reply

[-]

Ssakaa@reddit

Sounds like you have a bunch of academia cattle "security analysts"... so repeat after me: "compensating controls" ... beat them to death with their own vocabulary, since it's the only thing they came out of that "education" with.

Reply

[-]

tekno45@reddit

put the scans on bigger machines. When the questions comes up "why are CICD compute costs up?" easy answer is security scans.

Reply

[-]

Ssakaa@reddit

Metrics should be available to show that pretty well, too.

Reply

[-]

TerrorsOfTheDark@reddit

Some of y'all have never dealt with redhat and it shows...

Reply

[-]

Ssakaa@reddit

They've actually gotten a LOT better at making backport-patched versions identifiable (and Tenable's gotten a lot better at accounting for those), if you're referring to the openssl thing. If you're just referring to the noise of false positives... selinux serves a valuable purpose...

Reply

[-]

AcidRefleks@reddit

>How do you balance security requirements with actually shipping code? It's hard to tell where you are at in the chain of command, but the short answer to your question; managers need to perform a risk analysis of the cost of change vs. no change. It sounds like maybe there have been some deployment issues with these tools so I'll offer a good specific strategy here. Make your metrics your security team's metrics, keep your security team's problem their problem, and use policy/standards/requirements as a weapon. What does that mean here? * Your documented and approved Secure Application Development Lifecycle (Policy/Standard take your pick) has a requirement that all builds by the CI/CD pipeline must complete in less than "n" minutes (< 20 minutes in this case). Any changes that result in a violation of this policy must be approved by (insert manager name no one will bother). Play games with this requirement to your benefit; set a different requirement for the "deploy" portion of the CI/CD pipeline. Security wants to introduce a tool that adds 15 minutes to each development environment build and it causes the build time to violate the Secure Application Development Lifecycle, they - not you - have to get it approved. Someone complains why developer velocity is down after it's approved, pull the impact of build time on developer productivity. Security complains that you've created an arbitrary requirement (hint; this scenario does and, hint, what that led to the tool being implemented is valid) counter by pointing out there is 5 minutes available in the Test environment build or deployment time budget and they can have that time. Why will this not satisfy the control they are trying to introduce? * Never be the blocker and structure all interactions to cost the other side more time then it costs you in time. In this case, offer the solution of scanning in the time available in the Test build budget and ask them to define why this doesn't meet their control. When they point out you're obstructing (hint; you are) simply state you are trying to assist in determining requirements to delivery done and just request again Why will this solution not satisfy the control they are trying to introduce? >Feel like we're optimizing for compliance BS instead of real security. At the risk of generalizing. I believe Real Security(tm) is compliance BS, and that compliance BS is the organization making reasonable efforts to demonstrate due diligence and due care to shift risk (read as "cost") to someone else. Again, at the risk of generalizing, the desired outcome of real security is not to fix all vulnerabilities; it's to construct an impenetrable wall of due care, due diligence, and risk diversion to protect the company …. there not being any vulnerabilities is just a coincidental outcome. This phrasing can't be used in polite company so pretend I just used this phrase; Reasonable Cybersecurity. The counter to any compliance BS is to show the implementation of the proposed control (container scans in this case) cost the organization more then not doing it. >fails if there's a 3-year-old openssl version that's not even exposed. I can't help you on this one, what are doing keeping 3 year old vulnerable dependencies around! There's intentionally no question mark on that statement. Even if you do "prove" it's not exposed, how do you prove it is not exposed in future builds and will never be accidentally exposed in the future builds. The best I can offer is offer to try to scope the security team with rules of engagement - they can only scan the final container image and not the intermediate products. I'd not expect this to be successful.

Reply

[-]

Ssakaa@reddit

> they can only scan the final container image and not the intermediate products Which, coincidentally, is exactly the opposite of what everyone should want, since fixing a change added to test a month ago *at tha ttime* is way easier than re-factoring on the updated version of the dependency *after* it makes it to, and blocks, the prod build and deployment because it finally got scanned and alerted on...

Reply

[-]

Sad_Recommendation92@reddit

Let me guess no one on the security team has ever worked a help desk or any sort of production facing role

Reply

[-]

Silent_Title5109@reddit

Local container repo. Scan at rest not in the ci.

Reply

[-]

Odd-Sun7447@reddit

Why do you have a 3 year old version of OpenSSL in your production stuff. Keep your things updated. How do we balance security? Security FIRST. Making your shit work in a secure environment is absolutely required in today's day and age. Stop making excuses, and stay on top of your infrastructure.

Reply

[-]

kezow@reddit

I ran into not one, but two projects attempting to deploy log4j 1.2.15 today. They came to the support channel asking why their build wasn't passing.... We'll, that's because we blocked that 20 year old package 3 years ago when log4shell exploit caused the entire business to need to update. So many questions that I don't really want answers to. Did you not get the memo? Is it failing because you are just NOW updating TO the 20 year old version? How long has it been deployed to prod? Are you insane or do you just not like being employed?

Reply

[-]

dark_frog@reddit

But ChatGPT said...

Reply

[-]

niomosy@reddit

Don't go giving Copilot a pass here.

Reply

[-]

UninterestingSputnik@reddit

Wish I had better news, but once you solve that, then you'll get into 2nd-order dependencies where an imported library imports or requires 1.2.15 or an old 2.x, and you're right back where you started from. The dependency chain problem is getting worse and worse from a secure development perspective.

Reply

[-]

petrichorax@reddit

This. The mitigating solution here is ro stop being so import happy. Many things arent THAT much trouble to make yourself.

Reply

[-]

fresh-dork@reddit

welp, time to update. i don't want to rec specific products, but ours will point out a vulnerable package, then the fix version, and a dependency chain. this makes rooting out 2nd order deps easier. i have to wonder what it is you use that depends on this decade+ old package

Reply

[-]

AcidRefleks@reddit

Looking at you four year old log4j dependency someone is playing shenanigans with. If I see another fat jar claiming the jar ate my dependency.

Reply

[-]

MrSanford@reddit

This. Putting security in charge of a baseline for the dev environment would fix more problems than it would create.

Reply

[-]

niomosy@reddit

You haven't met my security team.

Reply

[-]

agent-squirrel@reddit

That would require an exceedingly competent a cross skilled security department. Many are just people who click around in vendor tools and scream when a version less than bleeding edge is detected.

Reply

[-]

MrSanford@reddit

I spent over a decade in dev-ops before moving to a security role. I’m sorry that’s your experience.

Reply

[-]

agent-squirrel@reddit

I’m sure it’s not all security people. It’s just all the ones I’ve ever dealt with. Getting on my case about the SSH version on RHEL 9 without understanding what upstream and back ports are is just silly.

Reply

[-]

kuroimakina@reddit

The security team at my org is a bit like this. They use vendor tools that are very overzealous sometimes, including stuff like “this is one patch out of date!” Or “there is an SSH vulnerability on this!” But it’ll be on internal only servers, in a very locked down environment, often times inside some vendor appliance that we have zero control over, that was purchased because some manager heard the “we will manage everything for you!” Pitch and actually believed it. This has happened to me more times than I can count. Side note, I really, really hate Dell powerflex. Just don’t do it man.

Reply

[-]

MrSanford@reddit

When did the layered approach to security go away?

Reply

[-]

agent-squirrel@reddit

Ah crap, our architect was looking at power flex lol. The appliance thing hits home though, I had cybersecurity get on my case about Bomgar because the VMware host config was set to CentOS 6 at some time in the past. Of course the appliance is some custom Linux build but fuck me, do a little more than look at the text on a web page.

Reply

[-]

kuroimakina@reddit

We just installed powerflex racks to host our horizon VDIs. Don’t do it. Just don’t. It’s ludicrously expensive, unnecessarily over-engineered, and the updating process will make you want to quit. I just had to do a software upgrade with them, because they installed it on a version behind and our security team was NOT happy. It took *months* of scheduling and assessing, and the actual upgrade process was - and I am not exaggerating here - *TWO WEEKS* of me sitting in calls with Dell with an upgrade team from India (no beef with India, but we are an American org, and I strongly believe that serious tech support things like this should be from the same or at least neighboring time zones for logistics purposes). They basically use zoom to control whatever computer you’re on to do all the upgrades for you. Sure, they offer the ability to do the upgrades yourself, but the actual effort is immense. We severely regret this purchase. The hardware is competent, but, all the management software is so unnecessarily obtuse and complicated, it’s always out of date, their manager software is literally like 100 containers running in kubernetes… it’s bad. It’s all bad. Do yourself a favor and just go with normal poweredge servers, and if you need a SAN, get some IBMs. For storage, they just cannot be beat on price v performance. Yeah, you’ll have to maintain a little more yourself, but trust me when I say that you will still end up saving SO much time and effort. But if your org is anything like mine, some higher up who hasn’t done any sysadmin work in a decade+ is going to hear “it’s a black box, we will take care of everything, it’s an all in one solution that just works! If you have ANY problems, we fix it!” And they’re going to believe it. Spoilers: they’re lying to you. TLDR powerflex is a hot mess, don’t do it. It’s not cost efficient, and it’s needlessly over complicated, and the upgrade process is so time consuming if you go through Dell that you will NEVER be up to date.

Reply

[-]

agent-squirrel@reddit

This is great info thank you. We mentioned that we are trying to shift off VMware and they started throwing marketing at us about how many other hypervisors they support and I reckon the higher ups got hooked.

Reply

[-]

fuckedfinance@reddit

No. Security should not be in charge of anything within development. That said, security SHOULD be keeping on top of what tools and libraries development is using.

Reply

[-]

mkosmo@reddit

Security **must** be engaged and be a stakeholder early in the development process. Shift left isn't just a saying. They should be involved in scoping and planning, and involved in the SDLC itself... plus the rest.

Reply

[-]

AliveInTheFuture@reddit

Let me know when this actually happens anywhere. People talk and talk about it but never actually accomplish it because it gets in the way of making money. The business’s goals are misaligned with security’s goals, and that will never change.

Reply

[-]

MendaciousFerret@reddit

My last gig we had static code analysis, secrets scanning in GH and container image scanning all in the pipeline. We also used dependabot to scan for outdated dependencies. They seldom blocked a deployment but if they did it was the dev's responsibility to sort it out and if they had a question or needed help they just slacked the appsec guys. We typically deployed a few hundred times a day. devsecops is an attitude where engineers all want to deploy and they help each other out.

Reply

[-]

petrichorax@reddit

Anywhere with compliance requirements

Reply

[-]

mkosmo@reddit

Depends on the business and their risk appetite.

Reply

[-]

Parking_Media@reddit

It's important to have legit open and honest conversations about this stuff between teams. Otherwise you get OPs dilemma.

Reply

[-]

MrSanford@reddit

I said baseline for the dev environment. That would be what tools and libraries they use.

Reply

[-]

Internet-of-cruft@reddit

Nobody said the security team should be in charge of development. *Development* needs to become security conscious and take into consideration things like "am I taking on a dependency on an old, possibly vulnerable library?" Everyone needs to take ownership of the basic question of "is this out of date" in everything they do. That's not just a library, but overall practices too.

Reply

[-]

Odd-Sun7447@reddit

Security should be setting the requirements that the development team needs to operate within. It's NOT just about tools and libraries, it's about requiring (not encouraging) secure operational practices. The development team should be required to maintain their shit. If they aren't, then they are failing to perform one of their absolutely required and very important tasks.

Reply

[-]

fuckedfinance@reddit

Yes, but that isn't putting security in charge of development. That is allowing security to work with leadership/development and put reasonable policies in place.

Reply

[-]

imnotonreddit2025@reddit

We have the tools because policies don't enforce, they advise. It's a serious enough matter that advising isn't enough. When you are set to meet KPI standards (timely delivery of features) security becomes an afterthought and a tool helps enforce.

Reply

[-]

fuckedfinance@reddit

Sigh. Policy can be everything from "promise me you will upgrade your app from TLS 1.0 next year" to running a weekly pipeline to doing what OPs shop is doing. If the policy is implementing tools at the IDE level and running a scan once everything is pushed up to the release branch but before publishing it, then that is a policy. It works in line with other policies, like having a very select number of non-developers (preferably DevOps) people who can actually push to prod.

Reply

[-]

Hotshot55@reddit

> Yes, but that isn't putting security in charge of development. Nobody said put them in charge of development. Setting a baseline security standard is pretty common.

Reply

[-]

rdesktop7@reddit

Do you want to be a software company, or a continuous upgrade company? I know that this will upset people here, but sometimes, a slightly old library that never gets used on the front interface has no ill effect.

Reply

[-]

Odd-Sun7447@reddit

Welcome to the 21st century man. A software company MUST BE a continuous upgrade company. You can't ship software built around software vulnerabilities, otherwise your customers will sue you and win. You can't neglect to keep your CI/CD pipelines updated, you can't neglect to keep your internal corporate infrastructure updated. It isn't the 1990's anymore dude. That ship has sailed, and those who don't get with the program get left behind.

Reply

[-]

rdesktop7@reddit

The discussion is about things existing in internal tools. Also, many companies have contracts to support older version of tools for N number of years. That is the reality of a lot of companies, dude.

Reply

[-]

Odd-Sun7447@reddit

Which includes security updates man...if you tool is built around some ancient version of a plugin that has security vulnerabilities, "supporting it" includes releasing hotfixes that swap those components out with versions that aren't vulnerable. The days of building something and including 5 year old java plugins and calling it fine are gone man, any entity who fails to realize that opens themselves up to lawsuits.

Reply

[-]

pfak@reddit

\> I know that this will upset people here, but sometimes, a slightly old library that never gets used on the front interface has no ill effect. Except when you have customers that security scan your software and expect the most up to date libraries for everything.

Reply

[-]

fresh-dork@reddit

log4j 1.2.17 is from 2012. this is well past slightly old

Reply

[-]

rdesktop7@reddit

Did someone mention log4j 1.2.17 somewhere in this thread that I missed?

Reply

[-]

fresh-dork@reddit

if you go to the page for 1.2.15, it says that .17 is available. that itself also has a bunch of CVE tags and is really old. was hoping that you could force to a patched version, but no. gotta move to 2.x

Reply

[-]

petrichorax@reddit

Devs whine so much i swear. Bunch of pampered overpaid jackasses, just do the one liner jackass!

Reply

[-]

RFC_1925@reddit

This is the correct answer.

Reply

[-]

disclosure5@reddit

It's usually me making these arguments, but honestly try running npm audit on any Javascript app. There's typically a dozen vulnerabilities listed and zero of them matter in the real world. It is basically the norm that half of them can't be fixed because "a malicious config file on the server may use excessive CPU to parse" is somehow a real thing that shows up in CI pipelines yet doesn't have a published fix.

Reply

[-]

ZealousidealTurn2211@reddit

I think my favorite false flag vulnerabilities are the ones that say "a root/admin user can..." Okay I will fix those as soon as feasible, but if someone has root we're so many levels of screwed that I don't care what they can do with this. It only really matters in cases of escaping VMs/containers and hijacking the parent process but they get 9+ regardless.

Reply

[-]

petrichorax@reddit

Well its less severe than unauthenticated rce, but thats an attack path. Its a bit like saying 'if my pile of oily rags in my basement is on fire then that means im already fucked to begin with' Good security is layered like an onion, dont make an egg.

Reply

[-]

ZealousidealTurn2211@reddit

The pile of oily rags in my basement can be cleaned up later because they are only a problem if the house is already on fire. I should make sure the house doesn't catch fire first. But I agree with the onion analogy.

Reply

[-]

petrichorax@reddit

But here's the thing, you're never going to. You can't possibly fix or anticipate all security flaws, but you can go after the severe ones that will lead to even more severe outcomes. Say an attacker takes advantage of some perimeter vulnerability. They've now go control over some admin panel as root. Well if there's NOTHING ELSE VULNERABLE, the attack stops there, especially if it's something inconsequential. But if there's another way to laterally move from there, taking advantage of the escalated privileges they have, then you're looking at a ransomware scenario, especially if it's a container escape. Thinking about \*attack paths\* and \*attack path management\* is how you can actually make a case for reducing your security workload because you're only going after the things that lead to a compromise of critical assets. I was a pentester, this was how I got DA most times. For the love of god listen to experts.

Reply

[-]

ZealousidealTurn2211@reddit

You should really re-read my original comment, all I was talking about was priority/emergency levels.

Reply

[-]

petrichorax@reddit

'False flag' is not really an industry term so it's very open to interpretation, and I interpreted it as 'bullshit'

Reply

[-]

UninterestingSputnik@reddit

The difficulty in the security space is determining whether they matter or not in context. It's EASY to figure out if there's a vulnerable version of a library out there, but it's HARD to figure out if that means you actually have an exposed vulnerability in most cases. Usually better to err on the side of caution and stay as up-to-date as possible. I like the CI model of always importing the latest dependencies and checking / testing builds to make the "I'm on the latest" process less daunting on releases. It's noisy and painful to start, but it helps keep things manageable.

Reply

[-]

goatsinhats@reddit

Company probably has stock in technical debt

Reply

[-]

ConfusionFront8006@reddit

This. Just….completely this.

Reply

[-]

StefanAdams@reddit

Security, DevOps, and Engineering need to be on the same page. Every team has a business need to meet but those teams need to work together effectively to achieve mutual goals. Security shouldn't just arbitrarily add rules without communicating them beforehand and giving others a chance to adjust. Seen too many cases where security teams operate with near-total opacity and refuse to negotiate and plan with other teams, 'cuz if they announce what they're doing ahead of time, it's going to give adversaries a heads-up. Silliness. Now to your point, security doesn't know if your old vulnerable OpenSSL is actually exposed somewhere that is meaningful from a security standpoint and a container scan probably won't tell them that. They just know it's old. Either pull it out or update it. If it's updated then at least everyone has the peace of mind that it won't ever be vulnerable to the known threats that are fixed in that version.

Reply

[-]

altodor@reddit

> 'cuz if they announce what they're doing ahead of time, it's going to give adversaries a heads-up. Silliness. This is only acceptable in adversarial situations like pen tests and phishing tests. In pretty much every other situation security and business are on the same team.

Reply

[-]

BedSome8710@reddit

tbf, your security team is probably also using the wrong products (legacy Veracode, Checkmarx or Snyk) to scan in the first place. They are notorious for false positives, newer wave appsec products have waaaay less of these fp.

Reply

[-]

mirrax@reddit

> 3-year-old openssl version that's not even exposed. Why is it included then rather than building on something like [distroless](https://github.com/GoogleContainerTools/distroless)?

Reply

[-]

NeppyMan@reddit

This is a process problem, not a technical problem. The development leadership will need to negotiate with the security leadership and work out a compromise. This is one of the times where DevOps/sysadmin/infra folks can - truthfully - say that they aren't the ones making the decisions here.

Reply

[-]

fedroxx@reddit

I'd never allow InfoSec to dictate this kind of thing without input from us in engineering. CSO would be called before ExCo to explain why they're fucking up my pipeline, and better have some good answers because it's much easier to replace them than our engineering org. I know this because we've had 5 CSOs during my tenure. A few seemed to have a misunderstanding of who brought in revenue.

Reply

[-]

BeatMastaD@reddit

Yep. The issue is a conflict of how much risk is acceptable and stakeholders/leadership are the ones who make that call. If they are willing to accept more risk then less scans are needed.

Reply

[-]

Ssakaa@reddit

The scans *are* needed. The scans being set up as a blocker on the build/deploy workflow *before* a first round of cleanup is done is a mess though, and shows a lack of both development understanding on the security side *AND* security understanding on the development side. Sadly, this *IS* a spot (Dev)Ops should step in, put their foot down, and pick the fight with *both*. Security being incompetent and implementing things that force blatant violations of policy just so operations can continue is a huge failure on their part. Development wanting to just do away with knowing about the security issues because the security team's a bunch of nitwits is a huge failure on their part. So.... it's pretty much Ops that gets to broker doing it right.

Reply

[-]

Marathon2021@reddit

The issue is executive leadership *above* all those leadership folks … that don’t *want* to make hard decisions. Seen it hundreds of times, I call it C-suite dysfunction. Give us a mad pace of feature releases, but oh - also give us good security and governance. Granted! It would help a bunch if devs would try to understand some of this and not just make everything run as administrator/root, and remove all permissions from the file system “because the code compiles that way.”

Reply

[-]

gosuexac@reddit

This is absolutely the wrongheaded approach to this. The entire point of DevOps is to fix this kind of “inter-departmental negotiation” nightmare. Please educate yourself before giving advice.

Reply

[-]

flummox1234@reddit

I call it "Lawyer Driven Development". It's the reason Cisco AMP is installed on all of our servers taking up sizeable chunks of CPU cycles, memory, and swap space despite most of the servers not even being exposed to anything that could compromise them. 🤷🏻‍♂️

Reply

[-]

bageloid@reddit

>not even being exposed to anything that could compromise them. Unless they are airgapped that isn't true.

Reply

[-]

flummox1234@reddit

They're isolated boxes that process data. Basically everything on the box is already known to be safe through other mechanisms and at this stage AMP is just taking up resources.

Reply

[-]

OldSprinkles3733@reddit

We ended up going with Upwind after dealing with this exact BS for months. Still not perfect but at least it only alerts on stuff that's actually running instead of every theoretical CVE in our node\_modules folder

Reply

[-]

AuroraFireflash@reddit

> only alerts on stuff that's actually running This is a very important feature early on in the adoption of SCA tooling. It trims the list from a few hundred or few thousand vulnerabilities down to only those that matter. Very few tools have it and not all languages are supported.

Reply

[-]

peakdecline@reddit

This is mostly a leadership issue. That said... your developers shouldn't even be able to push to prod outside of your processes. Both per policy and technical enforcement.

Reply

[-]

old_skul@reddit

Came here to say that if your devs have access to prod.... ...well, there's your problem.

Reply

[-]

mkosmo@reddit

Or if they can, it should be a break-glass process that will result in disciplinary action when incorrectly accessed and abused.

Reply

[-]

matt0_0@reddit

If the pipeline being broken is an approved time to break the glass, then that's how the break glass account sees daily use 😁

Reply

[-]

mkosmo@reddit

lol, fair enough. But if regular changes being impeded is a break-glass event, perhaps the change process needs some attention.

Reply

[-]

Ssakaa@reddit

Well... the change process didn't include any testing on the changes to the pipeline from the security folks, by the sound of it... so, yeah. I'd say they have some org-wide process issues...

Reply

[-]

DevinSysAdmin@reddit

Document a couple weeks of this with logs, screenshots, process failures etc and then bring it up with proof.

Reply

[-]

Nonaveragemonkey@reddit

Competent devs would be a start.

Reply

[-]

Leif_Henderson@reddit

> Meanwhile devs are pushing to prod directly because "the pipeline is broken again." If your devs are bypassing security requirements and lying about the pipeline being "broken" then the correct course of action is to put them on a PIP. "You can't publish this without upgrading openssl to the latest version" is not a broken pipeline.

Reply

[-]

Zortrax_br@reddit

A equipe de segurança está fazendo a parte deles, desde que o processo rode redondo. Se tem vun, ai é culpa de quem faz deploy cagado. A equipe de segurança tb não assume os riscos. Normalmente o q se faz nesses casos é ter um combinado, deploy com vulns low podem ir adianta, enquanto de categorias acima são barradas.

Reply

[-]

agent-squirrel@reddit

Classic case of “our tools say vulnerable we have done what we need to. Remediate now”. If the people that are securing things don’t understand said things then they have no business working in cyber security. Firing Nexpose or whatever off and going “look it’s insecure” is so fucking lazy.

Reply

[-]

DellR610@reddit

It's really weird to read cyber called security where everywhere I've worked security is reserved for physical security. Doors cameras sentries etc... That said I roll with whatever cyber pushes out and when asked about delays or problems I just point to them. I do my job well and not really scared of losing it anytime soon, so if they create problems I don't let it phase me.

Reply

[-]

BarracudaDefiant4702@reddit

Why does your base image have openssl even installed if it's not exposed? It sounds like your image has too much bloat. You should have at least a local dev/test environment (typically devs want on their laptop), and at least one preprod/staging environment they can push to before QA looks at it and has all the security tests. Ideally prod doesn't need to be rebuilt and only has separate config files, otherwise it will need to be rebuilt/retested but should be an easy pass. Even better is separate local dev, test, staging, preprod, and prod environments.

Reply

[-]

petrichorax@reddit

Because you fuckers do shit like put in hardcoded api keys andmaintenance hooks if we dont fuckin get on your ass . Our jobs would not exist if you would do yours properly.

Reply

[-]

SikhGamer@reddit

Reply

[-]

Awkward-Candle-4977@reddit

How is your base image spec?

Reply

[-]

dedjedi@reddit

This is 100%, completely, totally, not even a thing you should ever be thinking about.

Reply

[-]

cozyHousecatWasTaken@reddit

Sounds more like a Layer 8 issue tbh

Reply

[-]

heapsp@reddit

They need to get a modern cloud native security system like wiz.io to scan as a part of the pipeline, it will scan for vulnerabilities before its even deployed by simulating the build with terraform as an example, notify the teams of the things that are ACTUALLY problems with no false positives, and you can fix everything in test before its ready to roll

Reply

[-]

ChataEye@reddit

Funny story, i work in a company ( future ex-company ) that runs some penetration testing machines ( attack servers) , an as you know on these server are running some attacking tools and some custom coded malware. Our security teams insisted that we need to run crowrdstike on every productive server and believe it or not guys , every day i get xxx mail about incidents how on these servers there are some suspicios activity and crowdstike locked down these server on weekly level. Imagine the morons.

Reply

[-]

JWK3@reddit

IT requirements change, and as you'll see from most comments here, in 2025 security takes precedence over unabated service deployment. I do also feel that as cybersecurity teams have been a thing in their own right for 10+ years now, new cybersecurity teams and engineers are sitting in companies with no general sysadmin experience and are fresh out of cybersec classroom training. They only understand vulnerability reports and dashboards, not wider business logic. If there is a reason to compromise on security and the risk to the business losing that application/service is greater than the risk of compromise, application update should proceed. You need people that have an understanding of both sides to make a decision, and sometimes that won't be the Dec or the sec team.

Reply

[-]

Lofoten_@reddit

First off... unused dependencies...? C'mon. Secondly, why is the process not to scan in test? Iron out the process validation before you work out the code validation. This should never touch prod before then.

Reply

[-]

povlhp@reddit

Security guy here. We scan running containers (if not they might run for months with high severity known bugs) and we scan code repositories. Dev teams are responsible for fixing critical ASAP (or downgrade/close if not impacted ) and high should be put in sprints. We don’t stop code, we help the developers deliver good products. Sometimes there are reasons why things are rushed into production. But this way we help the devs get time to fix things.

Reply

[-]

arkatron5000@reddit

felt this hard. Our security team added Trivy + Snyk that takes 15min and fails on CVEs in test dependencies we don't even ship. Last week blocked prod deploy because of a 'critical' vuln in a markdown parser buried 6 levels deep in our build tools. Meanwhile actual security debt keeps piling up because we can't ship anything. Anyone else got a secret `--skip-scans` flag for when the CEO starts asking why deploys take 3 hours?

Reply

[-]

LordValgor@reddit

This is going to be a bit harsh, but the secret is to have a competent security team. When I was leading the security team for a SaaS/PaaS product, I worked closely with my head of engineering and DevOps to ensure we were on the same page. Non-blockers were understood and exemptions were written and documented. Executive had the authority to bypass security dissent if required, but they were largely in the loop too (I made sure of it). I rarely had issues with new tools or requirements because I kept the lines of communication wide open. A good CISO/security leader understands the needs of the business _and_ security, and balances and manages them for the best and most practical approach.

Reply

[-]

knightress_oxhide@reddit

I'm a bit confused by this "Meanwhile actual security debt keeps piling up because we can't ship anything." You don't remove security debt by shipping more features.

Reply

[-]

New_Enthusiasm9053@reddit

If you can't ship a fix to a missing server side validation on an API then that could be a security issue that requires fixing by shipping. Not all shipping is features.

Reply

[-]

I_ride_ostriches@reddit

Tact and communication goes a long way. In my org, engineering owns the tools, and security consults. We can shut that shit down if it’s getting in the way. But, we don’t, because we understand and appreciate why it’s there. It’s a team effort.

Reply

[-]

AcidRefleks@reddit

Tell the CEO why the deploys take 3 hours. Provide a high level overview of what is causing the issue and recommend a solution. Offer to provide supporting data or put it as an appendix. If you aren't used to structuring information in the right format, write everything up in your organizations approved ChatGPT-alternative for non-public data, and say I need this in a format for the CEO. Sounds like in this case you can't control the security team, so your recommendation is for the CEO to get the Security team the resources and tools they need so they can reduce the impact to the build time from 3 hours to what it needs to be.

Reply

[-]

Jmc_da_boss@reddit

Why don't you just tell the ceo the security team added scans that take a while. You don't even have to be accusatory. You are just stating a fact.

Reply

[-]

Cold-Pineapple-8884@reddit

There is so much wrong here idk where to even begin. There is no excuse EVER for a system to have a 3yo vulnerability. Why are you guys not using blueprints or golden images? These things should be maintained higher upstream so your deployments use the latest supported and tested version of all libraries. Your security team probably doesn’t trust what you’re doing because why should they when you admit that 3 year old OpenSSL libraries are getting installed on your systems? And why do your devs have direct write access to prod? That is a mega no no. If I am security at your company reading your post I would add to my list of worries that you’re not properly securing API keys and other service account credentials, not using proper authentication and encryption for micro services - and otherwise just having lax controls in the environment. I will tell you that bad actors are mapping networks with speed now. In the past we would see a mailbox compromised here or there and used to relay spam. Now with the proliferation of AI, as well as criminal organizations in Asia, India, Africa and Eastern Europe now selling dossiers on individuals and organizations - ready to go for immediate use/exploitation… way more dangerous than ever before. And as I was saying we no long see just one vector attacks. When someone gets their AD account compromised, we are seeing payroll changes, spam waves on a timer to be sent out a future scheduled date, we see them putting mailbox rules to delete or forward emails, we see them using users OneDrive to host fake login pages for other pegs that they’re phishing, and so on. It’s all scripted and automated now. Sure this isn’t directly related to web servers getting compromised but just imagine that anytime one bad actor gets a little more Intel to your environment they write it down and she it later or sell/share that info. Within five minutes of compromised accounts we now see dozens of actions across company systems with that user account. All it takes is one buffer overload and priv escalation to take root control and then boom completely lateral access across east/west and potentially north/south too. You need better DevOps people because if that’s their MO then your platform’s API keys are probably already posted on github somewhere.

Reply

[-]

endfm@reddit

but you're updating the opensll version which is 3 years old and updating right? then updating security? right...

Reply

[-]

bulldg4life@reddit

I would wonder why you’re not scanning until deploy. That’s way late. Scanning in the pipeline is a normal standard business as usual thing though. I would expect security and devs to work together to analyze the vulns and either address them or mark them as accepted in the scan engine after proper review.

Reply

[-]

trullaDE@reddit

>I would wonder why you’re not scanning until deploy. That’s way late. Exactly this. Those scans should happen at build, and build should fail. Those containers should never get to exist in the first place, let alone be deployed to anywhere.

Reply

[-]

fresh-dork@reddit

yeah, my company scans this stuff in the repo and gives us a 30 day timer to fix our stuff. a repo scan takes several seconds

Reply

[-]

knightress_oxhide@reddit

Yeah there seems to be multiple problems. First devs can just "push to prod" ignoring any testing, etc. Second they have containers with vulnerabilities that are in use and 20 minutes is somehow a problem (are they scanning they same thing every time?). This team is not optimizing for anything.

Reply

[-]

BigBobFro@reddit

Push to prod directly?? Yea that never ended poorly. It doesnt matter if its exposed now,.. if its in your container image it COULD be exposed, and as such should be removed. Basic security principles. Dont let your devs tell you what is and is not secure. They never care.

Reply

[-]

nefarious_bumpps@reddit

1. Dev's should *never, ever* have privileges to modify prod. This is essential to maintain separation of duties and least privileged access. 2. If the 3-year old openssl version isn't exposed then it's not needed, so remove it. If by "not exposed" you mean it's not accessible to the Internet, that doesn't matter. Once a threat actor is inside they will leverage any available vulnerabilities to establish persistence and pivot. 3. With respect to #2, if you're not scanning *all* your containers you're possibly leaving vulnerable attack vectors for threat actors. An internal-only vulnerability *is still an attack vector*. Security isn't just focusing on keeping bad actors out, it also means limiting lateral movement once they've found a way in. 4. If you actually have 47 different scanning tools then that is indeed a problem.

Reply

[-]

eagle6705@reddit

Find a middle ground. Im fortunately in a place where we are small and I do help out cybersecurity so its easy for me to say hey we need you to find a middle ground or replace asses this process and proceed to give the full scope.

Reply

[-]

dean771@reddit

>Feel like we're optimizing for compliance BS instead of real security Im sorry but we all just need to get used to this

Reply

[-]

Intelligent_Ad4448@reddit

Security team at my work did the same and has caused headaches for the past 3 months.

Reply

[-]

UninterestingSputnik@reddit

Lots of lessons to take from this. There needs to be constant over-communication from security to development on what's coming, what's required now, and what the metrics are that they need to adhere to. There needs to be a process for developers to follow that lets them get current, makes them stay reasonably current, and keeps them up to date on an agreed cadence that's appropriate for the exposure of the application they're deploying. There needs to be a constant dialogue at management levels that cascade messages about your industry's vulnerabilities, regulatory requirements (if any), and best practices shared in moderated forums. There are a number of industries that have ISACs that help in this space. Finally, there needs to be a message from the highest possible levels that security is everyone's responsibility. There are simply too many stories in the press about security incidents damaging or destroying companies to let this slide anymore. Best of luck -- none of this is easy, but you'll get all sorts of unexpected benefits from adopting these.

Reply

[-]

bbell6238@reddit

4 steps. Process. The fellas are right

Reply

[-]

trisanachandler@reddit

If it's stopping deployments, you need to have a manual decision if you build+deploy with a failing and open a bug ticket, or if you open the bug ticket and make it a blocker for the deployment ticket. And run these tools in dev with reporting only, the dev can claim a false positive, a mitigation, or a real issue and try and solve it before it goes up to QA or staging. Each level should be more stringent.

Reply

[-]

cakefaice1@reddit

OP you are aware actual hackers can find vulnerabilities in dependencies without setting off a signature detection?

Reply

[-]

imnotonreddit2025@reddit

I see two problems and they're both making each other worse. It sounds like your tools for CI/CD security suck due to their bolt-on nature and possibly not getting enough system resources. 20 minutes for a scan? Insane to me, ours come back in a few minutes and run consistently. No I don't know the tool name offhand. It catches a lot of things I would have missed. Like a 3 year old version of openssl is a problem. It's not known to be exposed because it's not getting ANY fixes anymore. It's not considered for inclusion because it's already excluded from consideration for production use. I know this was just an example, maybe you picked one that doesn't really show your frustrations. But yeah this kind of stuff needs to happen. The fun stops when security comes in. The belt always tightens and you're asked to comply with more and more security controls. But your tool ought to be more helpful in meeting these controls too. Everything sucks about this situation it sounds like. It's hard to justify to superiors that a 20-30 minute runtime of a scan is a problem if they don't understand that it kills the development/test cycle when it takes that long.

Reply

[-]

Helpjuice@reddit

Why are devs allowed to even push directly to production, sounds fundamentally broken. If it has not gone through and passed through the pipeline it should have never made it to prod unless it's an emergency break glass situation. If things are going so slow, then the hardware used to process said tech needs to be faster or the scan optimized to reduce the time it takes to run. Having 3-year old openssl versions should not even be a thing, update the containers to something more modern and fix the issue through automated software updates and regression testing. Customers rely on you to keep things updated, not doing so is unacceptable and not meeting or exceeding customer expectations. Work with the teams to come to a common ground, builds should be quick, and if things need to be scanned they need to be scanned, but only diffs should be scanned and not everything every single time there is a new push. Force them to do better by setting higher expectations on quality.

Reply

[-]

patmorgan235@reddit

The 3 year old ssl version being in production means your image building process is broken. Fix the way you build your image so you KNOW what's in them and that it's up-to-date, and then you can argue that the scanning process is unnecessary because you have compensating controls (or you can still have the scanning process but not have it block deployments)

Reply

[-]

lightmatter501@reddit

Why are you shipping unused dependencies?

Reply

[-]

Thorlas6@reddit

1) keep your dependancies up to date. If its not a clone of production dependancies then you arent developing properly. 2) If Security/Development/Operations didnt build this together you need to re-engineer this from the ground up. Level set expectations and requirements. 3) if devs push straight to prod, no change request, no code review, no oversight. They should be written up and/or fired for breaking policy and exposing the company to risk. 4) compliance exists for a reason. If you are not complying with the frameworks governing your industry you risk losing cyber insurance, fines, and the risks those frameworks exist to help offset. When you get breached and are found in non-compliance the company will have to eat the cost and possibly go out of business.

Reply

[-]

maziarczykk@reddit

Disable these tools and end that nonsense. Kudos to the devs.

Reply

[-]

dev_all_the_ops@reddit

I see you have never actually worked in the real world.

Reply

[-]

Resident-Artichoke85@reddit

You write waivers, signed off by a supervisor, for non-exposed outdated software that is required and then give that to the security team so they stop flagging items with waivers.

Reply

[-]

ThomasTrain87@reddit

Or, stop running deployments that rely on 3 year old dependencies and update them properly? Even if those old dependencies aren’t directly exposed, those weakness and vulnerabilities make the entire deployment vulnerable. It isn’t necessarily the direct component that gets you compromised, but the exposed part the relies on that component that gets you pwned. Read the hacker news to see all the compromises resulting from unpatched vulnerabilities. Behind every one was a poorly executed patching program.

Reply

[-]

brunozp@reddit

The security team has to apply these measures in accordance with the development team and test them before production. They can't break an environment; where is the product owner or the people above them to organize it? It just seems that you have no compliance and methodology in your process

Reply

[-]

chesser45@reddit

Sounds like a process problem. You need to come to an understanding with what management wants. If they want you to deploy infra that matches with the demands of infosec… pound sand. Else figure out the middle ground. Maybe the action steps can be adjusted to better match what the infosec team wants because at the end of the day they have their own deliverables. But it would be good to explore, “why is our app failing this?”, if you don’t need the package or it’s using an old version work with them to understand it and maybe they can build exclusions into trivvy.

Reply

[-]

Leucippus1@reddit

If devs are pushing directly to prod they should be immediately terminated for failing to comply with the company's security policies. Literally, terminated for cause, avoiding the use of security tools. Walk out the door, never come back. I have a word or two for security guys who toss CVEs at people and expect everyone to drop everything to address open SSL version whatever that has been entirely inappropriately assessed a severe rating. I have worked in security for years, the urge to 'have everything green' is great, and often from management. It is actual work to sift through it yourself and calculate the risk like a real professional. I lost months of my life working on 'SecurityScorecard' because our CEO wanted it to be an "A+". Nothing I did solved any security issues I promise. It sure made everyone feel good though. Scanning every container image is a very basic step, you should be scanning and recording the results right after you create the image in dev/stage. Ideally, not only are you scanning the image after creation, but you are scanning the code as it is written. You can easily identify CVEs as you are coding because of the thousands of tools that can read that you are taking X package from Y repository that contains Z methods and those are known to be weak. Just yesterday I was demonstrating something in VSCode when I wrote a short script and VSCode immediately warned me about a CVE that was in the method I was relying on. So this kind of 'oh my gosh we have a security vulnerability we only find out about at deploy time' is a recipe for malfunction.

Reply

Reply to Post

171 Comments