[worthless-trash]

HN can be unnecessarily vicious when it comes to these situations. They have a very narrow slit in which they see companies because they extrapolate their understanding into the large corporation.

The attacker needs to find 1 fault in a system to start attacking a system, the company needs to plug ALL of them to be successful, continually for all updates, for all staff, for all time.

Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.

[ExoticPearTree]

> Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.

Being on the defenders side, I would say it is not a losing battle.

It is a matter if convenience versus security: not using up to date libraries because it requires some code rewrites and “aint nobody got time for that”, adding too much logic to functions and scooe creep instead of segregating services, not microsegmenting workloads, using service accounts with full privileges because figuring out what you actually need takes too much time; and the list could go on.

I am not blaming all developers and engineering managers for this because they might not know about all the intricacies of building secure services - part of the blame is on the ops and security people who don’t understand them either and think they’re secure when they are not. Amd those folks should know better.

And third, hubris: we have all the security solutions that are trendy now, we’re safe. Do they actually work? No one knows.

[worthless-trash]

So, why I say it is a loosing battle is because when I look for a weakness its not a known CVE and its not known to be exploited.

Many of these companies can keep up to date assuming their vendors report correctly, The exploits that are not publicly documented are rarely fixed.