| That is true. The real world is dirty and messy: - supporting public LAMP apps - database servers that have public IP addresses that are barely filtered - boxes not getting updates - under-secured Linux boxes with almost every option recompiled to on - chmod 777 developers - substituting signatures of checksums for signatures of data - not using HMAC and opening themselves up to length-extension and chosen plaintext attacks - storing SSL/SSH private keys unencrypted on unencrypted laptops - downloading HR data to a laptop and leaving it I actually was fired once from a big name university in the SF Bay Area for refusing to haphazardly ruin the network security of a credit card processing private campus network to facilitate a new vendor remoting into terminals. Integrity through awareness/caution, processes and standard components. Bringing in a bunch of random dependencies, regardless of license or support status, is inviting all sorts of gaping attack surfaces. |