I don't disagree with you, where were the mitigating controls? I just won't ever say that security is as simple as "patch this" .
-
-
Replying to @SteveD3 @irawinkler
Why isn't it simpler? Be specific, and then let's solve THOSE problems so it never happens again.
2 replies 0 retweets 0 likes -
Scott Arciszewski Retweeted Scott Arciszewski
Updates should be automatic by default, and implemented securely.https://twitter.com/CiPHPerCoder/status/908148212694908928 …
Scott Arciszewski added,
2 replies 0 retweets 0 likes -
Dev libraries auto-updating is a recipe for failure. Stand alone is one thing, but a library, such as this case, is a very different thing.
2 replies 0 retweets 0 likes -
Replying to @adamcaudill @CiPHPerCoder and
Breaking changes, recompiling, redeployment, etc. - when dealing with a library, it's so much more complex.
1 reply 0 retweets 0 likes -
Then let's build the infrastructure to make it NOT complex.
1 reply 0 retweets 0 likes -
Replying to @CiPHPerCoder @adamcaudill and
"Encryption is hard, people keep screwing it up" well now we have libsodium and chosen-ciphertext attacks are less useful when it's used.
1 reply 0 retweets 0 likes -
Replying to @CiPHPerCoder
Finding a way to auto update a dev library/framework with near zero risk, especially for compiled langs is a much harder problem.
2 replies 0 retweets 0 likes -
Replying to @adamcaudill @CiPHPerCoder
Did you look at the last Struts vuln? The fix involved unavoidable interface changes; for some users, a code change would have been required
1 reply 0 retweets 0 likes -
Replying to @adamcaudill @CiPHPerCoder
It was a point release, but a blind swap (for some users), would have broken their application.
2 replies 0 retweets 0 likes
Because they don’t have dev and preprod environments nor an extensive test suite? Come on.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.