We just ditched slack in favour of teams at our company, because slack wasn't "secure" enough. I feel like I see a headline like this twice a month. I can't ever remember seeing a similar headline for slack.
Exchange is actually still fairly prevalent, even among smaller companies. Although many of the smaller orgs that still have on-prem Exchange tend to have a migration plan to M365.
> Exchange is actually still fairly prevalent, even among smaller companies. Although many of the smaller orgs that still have on-prem Exchange tend to have a migration plan to M365.
and I hope they do. most of these smaller companies are sometimes sitting on really really old versions. "it works" is mostly the argument.
updating exchange sometimes can be painful. most of the time everything works, but sometimes things just break.
Let’s not ignore that if you’re a company self-hosting a highly available Exchange installation (plus backup infrastructure and maybe near-line storage solutions for mail), it’s almost certainly comprised of very expensive capital and > an FTE of labor, all which are entirely a waste of time and resources at this point.
There are vanishingly few circumstances where it makes sense for an organization to be funding deep expertise for the direct management of an Exchange environment. This has been clear for nearly a decade.
The capex to refresh that hardware is a ridiculous waste, so yeah, it wouldn’t surprise me if the people still running those setups have very aged installations (e.g. WinSrvr 2008-12), which are as great a risk as the Exchange Server software they’re running.
The gating factor is often the expertise to plan and execute a migration with minimal disruption and loss. It’s not simple, and it’s nothing like an exchange upgrade project. It’s a downright UGLY project if a company has been abusing their mail system for years (e.g. using their mail system as a document management platform since ‘99, allowing distributed PSTs, etc.). Seen it.
Teams is half way to the null position in the continuum - if it doesn't do anything and/or people don't want to use it, it exposes you less to vulnerabilities.
Can anyone recommend a solid website which aggregates CVE data in order to generate security scores for companies, platforms, open source projects, etc.? I know CVE data has a lot of problems, but I still suspect that this would be more objectively accurate than making security decisions based on gut feel.
I don't know of one, and making this judgement based on CVE data alone will not answer your question. Factors ignored include codebase size, customer count, internal CVE filing standards/criteria, etc.
The only signal I would conclude from CVE data by itself, is that I bias towards a preference for companies that regularly publish CVEs. The ones that don't publish CVEs regularly are hiding, ignorant, or actually secure (and the first two are more likely).
Aggregating cve data is probably not a useful signal. Products with more cves are not necessarily less secure than ones with fewer ones.
Possibly if a product consistently has high cves over a long period of time that might tell you something about poor security practices over that period (or before it). It might also mean that their security is now quite good!
You have to interpret the data I'm afraid. I can't think of any useful statistical measures you could use to compare aggregate data across multiple products.
It's kinda sad that they went through the whole monopoly suit over a century ago and here we are in Windows 11 getting OneDrive notices crammed down our throats even when there's an active work Office 365 subscription on the damn machines. (... and now Teams ad notifications in the Office suite)
I thought this was for on premise exchange installs that are directly facing the internet, which is an extremely rare setup these days.
Most companies use hosted exchange or if exchange is on premise, it sits behind a firewall of some kind.