I've just had the following conversation with our security team and it's one that I've had countless times now. We've wasted a huge amount of team effort on this kind of thing and are falling behind schedule because of it:
Them: "Hi, dependency bot is showing a vulnerability in a library you're using"
Me: "We don't actually use the affected API and the vuln is a DDOS, that component is only used internally in our product which isn't network based so it'd be impossible to exploit".
Them: "We still have to fix it because our customers will care we have a vuln"
Me: "But we don't have a vuln".
Them: "I know but it doesn't matter, it's a compliance thing".
Me: "This will take us about 3 days of dev effort to test because that component can't be tested automatically"
Them: "Yeh, that sucks"
Me: "But you did this to us two weeks ago, how are we supposed to get any work done with you constantly making us do spurious work that doesn't actually add any value or make our product more secure?"
Them: "Yeh, that sucks"
Honestly, I'm starting to question the whole "Don't re-invent the wheel" mantra… It's starting to seem like it'd maybe be a good idea because while we'll have buggier code, no one will be able to insist we make constant unneeded changes all the time.
submitted by /u/ratttertintattertins
[link] [comments]
from Software Development – methodologies, techniques, and tools. Covering Agile, RUP, Waterfall + more! https://ift.tt/wDMW971
Ameer Academy 