Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Voxera10620151dThat would also make it much easier to find any potentially vulnerable systems when a new similar exploit is found in some other library.
Sure obscurity is not a good security measure but it can slow down an attacker.
Fast-Nop38494151d@Voxera That's plain wrong. Attackers just use automated attacks and don't care which exact application is there with the bug open. Which is also why is slows down the defenders even more.
If you're doing actual security instead of superficial checklist compliance snakeoil, then there's no issue in being transparent.
IntrusionCM10347151dThe problem are transitive dependencies in most cases.
If you don't use any form of build system, I'd understand having hardship maintaining dependencies - but why would anyone with a sane mindset do this?
Any build system should be able to generate a list of dependencies including transitive dependencies.
Additionally there are things like scanners, e.g. Trivy for Docker, OWASP dependencies checker etc., which do exactly that and even give you a CVE list to shove it up... To highlight the importance of maintenance to your manager / team lead / ...
These things should run in any good form of CI / on an automated basis to assure you don't overlook stuff.
Log4J got so much hype that many people seem to have forgotten that new zero days occur in any form daily.
If you have no such things integrated in your build pipeline or not as a cronjob, then you've pretty much failed the most basic task in security: Ensuring monitoring.
PonySlaystation5My worst dev experience in 2021 has been a PHP-based CMS developped by lobotomized, single-celled organisms in...
prodigy2149best : - the work from my past company - the salary from my current company worst - the work from my current ...
EpicofGilgamesh3Forgot to secure my mongo db instance, found half the data gone, and a new db holding me at ransom , learn_how...