Hacker News new | ask | show | jobs
by itake 1201 days ago
I wish these tools would just auto fix it for me. I hate messages like this:

> CRITICAL: Only communicate using SFTP connections.

If you know what’s wrong, then fix it. My integration or unit tests will fail if your fix doesn’t work.
2 comments
gmontard 1201 days ago
Well, we're getting there, at least into proposing some fixes.

Automatically fixing is tricky, it means changing your code that can get automatically deployed in production without any other checks.. Dangerous. Not sure if you want to trust anyone to do that, tbh.

Also, considering all the edge-cases there are, it's impossible to guarantee that a fix won't break your code. If someone does, they just lie to you.

But I understand why you'd love that, as a developer, I do too :)

link
itake 1201 days ago
> changing your code that can get automatically deployed in production without any other checks.

I’ve never worked at a place that didn’t have at least 2:

Code review checks

Qa checks

Automated testing

If an edge case breaks the code, then great! The developer can fix it (if the tool can’t). Even if 2% of the time, the system fixes it properly that’s 2% of the time the developer didn’t have to roll up their sleeves.

link
gmontard 1201 days ago
I agree, in theory :)

But I’m happy you say that and gives me hope our future automated remediation suggestion can be easily adopted.

link
itake 1201 days ago
I think these tools have to have the automation baked into the checks from v0. Adding it later can be a mess without the right abstraction.
link
olddustytrail 1201 days ago
You can't just fix that in code. FTP and SFTP are completely different protocols that use different servers.

You need a new server to talk to in order to fix that. And if it's a customer server maybe it can only do FTPS rather than SFTP.

link
itake 1201 days ago
Yeah… so this example is saying “you need to redesign your infrastructure before you can merge this change in.”

If sftp is a requirement, it should have been captured earlier in the process and not after the integration code was written.

link
gmontard 1201 days ago
In an ideal world security tools like this one should be useless… but unfortunately we don’t all live in this world where security requirements are all captured, understood and implemented correctly.

This is what just an exemple, think about application level encryption, leakage in logger messages etc.

link