[andrewguy9]

Does anyone remember when HaProxy’s tag line was” Security - Not even one vulnerability in 10 years”. I loved that product.

Before they took all that money. Before they added all the crap people want but don’t need. It’s hard to do the fundamentals, especially when you take your eye off the ball.

[codetrotter]

I see what you are saying but it could also be for example:

1) over time more inherent complexity has accrued, making vulnerabilities more likely to occur

2) vulnerability analysis has improved, meaning that vulnerabilities are being found today where in the past certain vulnerabilities (either same or different ones) were present without being found

and we don’t know that things are being added that’s “not needed”, or that they are “taking the eyes off the ball”.

Do we even know that they would be able to stay relevant without taking money? Taking money seems, in isolation, a good thing to me.

[lucb1e]

I didn't know that used to be their tagline though. That this changed is an interesting perspective.

And as for point #2 specifically, detection improved as well so it's not as if attackers are clearly winning with better attacks on larger attach surfaces. There was a talk recently (can't remember which conference) optimistically wondering if we might be succeeding more than we're failing, since the impactful bugs are getting much harder to find. We're very clearly not there yet, but try to get an exploit on a phone now and compare that to 2011 or 2001. There is a trend there and it's not the same one as GP claims HAProxy is going in. Though your point #1 might adequately explain that, in my head they're still just a proxy (I don't work with the product from a sysadmin perspective) so I wouldn't have known of it if it hadn't come up.