282
Website security (feddit.org)
top 13 comments
sorted by: hot top controversial new old
[-] slazer2au@lemmy.world 47 points 2 months ago

Move it off server 2008.

I wish that was not a discussion we had with a customer.

[-] hemko@lemmy.dbzer0.com 13 points 2 months ago

"The business critical software we're using is not supported on 2012 or later"

[-] slazer2au@lemmy.world 15 points 2 months ago

That excuse works until you mention cyber insurance and suddenly a budget appears to get everything upgraded.

[-] MelodiousFunk@slrpnk.net 11 points 2 months ago

It gets worse.

Sometimes the software update is free. All it needs is a half dozen VMs spun up (in an environment of 1500+) and an approved change window to migrate the current version to new servers, and then another window to update. But your request for new VMs gets back burnered for close to a year because there's still production machines on unsupported OSes.

Then a very large breach of the software in question happens while you're on vacation.

By sheer luck, the outdated version is not affected. But suddenly it's super important to upgrade to the latest version NOW. So you end up spending the next few days of vacation splitting your time between defending yourself, re-explaining the situation to "tech" VPs and up that are total frauds, and dealing with top level vendor support because migrating software and OS versions at the same time is not recommended. And then spending a nice relaxing overnight with one of their top engineers doing what was supposed to be an involved but routine process over multiple change windows, but is instead 9 hours of "this should work, guess we'll find out" sphincter-clenching Leroy Jenkins action, in which the top-level engineer was needed more than once to fix something. All this while flying blind on a 2000+ node network because the software you had to emergency update without any guardrails (aside from snapshots) is the network monitoring software. Hell of a thing to back-burner, but I didn't run the company that got sold for several billion so what do I know?

Oh, and three months later you get denied a merit raise because Covid and "nobody" got a raise.

So fucking glad to be rid of that toxic shithole.

[-] PrettyFlyForAFatGuy@feddit.uk 4 points 2 months ago

or off windows server entirely

[-] slazer2au@lemmy.world 9 points 2 months ago

you get the same issues with nix distros.

[-] MonkderVierte@lemmy.ml 2 points 2 months ago

But less of it.

[-] Lemminary@lemmy.world 14 points 2 months ago

And what, spend money on something that will save us even more money down the line? You fool, I won't be working at this company by then!

[-] cron@feddit.org 9 points 2 months ago

During my time working in IT for a power grid provider, it was challenging to find patch windows due to the critical nature of their services.

[-] remotelove@lemmy.ca 11 points 2 months ago

That probably means there wasn't a good testing process for patching and there wasn't adequate redundancy. In theory, if a patch breaks one server it shouldn't matter.

In reality, patch testing stacks up and gets behind and redundancies are rarely tested. That is expensive, time consuming work which probably isn't worth the time of someone who is already underpaid and overworked. And fuck! If patch and redundancy testing ever breaks anything prod for whatever reason, the person who was testing everything gets blamed and fired so nobody is going to volunteer for that.

[-] MonkderVierte@lemmy.ml 7 points 2 months ago

Use a static site generator instead of Wordpress.

[-] olafurp@lemmy.world 4 points 2 months ago

I'm a programmer that doesn't know all that much about cybersecurity beyond the basic.

What do you guys think of AI pentesting? Is it made completely redundant by tools or is it going to be a viable strategy for pentesting?

[-] DahGangalang@infosec.pub 8 points 2 months ago

As with most things, I expect it'll help the guys who know what they're doing do their thing faster and more efficiently.

I don't expect it to replace nor be a effective substitute for a properly trained pen tester.

It might be helpful to developers to fast track security testing, but I think there's already a wide array of "non-AI" tools that accomplish that? Don't know a lot about how it.couod affect that side of things.

this post was submitted on 17 Aug 2024
282 points (99.0% liked)

Cybersecurity - Memes

1893 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS