this post was submitted on 26 Aug 2023
82 points (100.0% liked)

Free and Open Source Software

17934 readers
74 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] WagnasT@iusearchlinux.fyi 26 points 1 year ago (1 children)

ugh, I'm glad i've moved on from IT but I've had many arguments with 'security managers' about some bogus qualys findings. If the CVE is that a user could do a thing in an unexpected way, but they have permission to do the thing that is a bug not a vulnerability. IMO It's only a vulnerability if someone that is not allowed to do something can do the forbidden thing.

[–] Nullroad@beehaw.org 5 points 1 year ago

I used to work in a place where we constantly got looked at by security companies and consultants. The wisdom of that time? Companies don’t hire security firms and consultants to find nothing, so no matter how asinine or impractical it is, they’ll still file it because an empty report is bad for business.

Our security handling was pretty strict, and we had to constantly talk customers off the ledge and kindly inform them that their consultant was blowing crazy swamp gas up their asses. My favorite was a firm that listed all Easter eggs as a vulnerability. An open source package could raise the list of developers with a secret key combo, and so the customer saw this on their report and raised a stink. The customer had no idea what this all meant, but their consultant had scared the crap out of them, so we had to layer on a patch to disable the stupid thing.