[phoehne]

Have you ever worked with someone in information security, only to find out they're checking off features but don't know what they're doing? Has it been scanned by this piece of software (which produces 832 fans positives) and provided a remediation plan? Has everyone taken the on-line cyber security training? Do you have a documented architecture? Are you using the approved software versions (only they didn't get the memo we've moved on from Java 1.8)?

I once had to argue back and forth with someone (circa 2008) that JavaScript did not mean "mobile code" in the sense of their checklist. I had to explain what JavaScript was, how it worked, but they were more than willing to tell me I had to remove it from the app I was working on. Which would have rendered my app and all the other apps for that client much less functional.

[golergka]

> JavaScript did not mean "mobile code" in the sense of their checklist

What the hell does that even mean?

[phoehne]

What they were referring to were ActiveX controls, Java applets, dynamically downloaded JAR files like on Sun's Java browser, etc. Like rollerblading, it was the unfortunate trend of a bygone era. And yes, it was a ridiculous term. And just more evidence that the "cyber security" is just an organizational fig-leaf.

[markus_zhang]

I think the general mindset is, if something can be used for exploitation, then for the sake of safety we should block it entirely.

Of course the mainstream stuffs are tolerated but anything outside of that would need a long list of approvals.