Recent searches
Search options
Administered by:
If CVE scanners are stupid, then what should I do instead?
Suppose I'm a sysadmin / devops at a small sofrware company. The devs write webapps with lots of dependencies, which they rarely update.
Is there anything I can do to meaningfully reduce the risk of a vuln in one of those dependencies getting us pwned, without that consuming all of my time?
It is a bad buzz word, but "zero trust" in its original form does make sense. Isolate the services enough from each other to avoid spreading if one of it gets pwned.
Also being picky what kind of software you use is really helpful. I always annoy my colleagues with "always use the latest major version automatically. What? You do not trust this software to not break on minor upgrades? Then we should not use it in the first place"
Stuff breaking on automatic upgrades is my favorite indicator for broken software that should be avoided.
Most of the "dependency hell" tools out there (npm, maven) so have integrated checks that warn you or there are plugins to update dependencies. Even if your team wants to stay fixed to a certain version, make the pipeline display big fat warnings if there is an update available. Insist that they immediately apply this update and push to prod.
@simon_m I can't insist that the devs update every time there is a new version, because a) that'd be a crippling amount of extra work for them, and b) it drastically increases the rate of change, and the number of factors that change, making it harder to figure out why things broke.
Now, if I could make them avoid dependencies that break with minor updates, but only run all minor updates at designated times (ideally when there are no changes to the app itself) that'd be cool