I thought more about what companies I have worked for do and don't do.
1. The post about CDK using old 2014 code could be true. Corporations unless forced to by a 3rd party just don't like to consider tech debt. Tech debt is updating software so it will be using LTS (long term support) code bases. simply it's like a company avoiding to upgrade from Windows XP because it's a waste of time and money unless a srd party partner makes them do it. Sometimes companies will just pay for old code updates by companies who do this. So imagine ABC Updating Company who will provide updates to XP so it stay marginally current.
When PCI, PII, and HIPA compliance is necessary, companies will fold and do the upgrades.
Corporations will actively not spend money just to stay current. Sometimes a new version of a coding language comes out and companies willfully ignore these updates and even use versions that don't even have security updates coming out.
2. code sniffers: Does the software that use will at least has been through developer level code checkers? It really only takes a few minutes to run tests.
3. code vulnerability 3rd party checkers: has the software that you use been verified by a 3rd party service like this? Comprehensive Cybersecurity and Exposure Management | Tenable®
These services are not cheap. tenable is likely on the cheap side.
4. Does the software that you use have a plugin system? Word Press does. How does your software validate the plugins?
Note:
IF the software that you use doesn't do number 1. then I highly it does 2 or 3. This is corporate fact.
Security checking is a pain. But needs to be done.
1. The post about CDK using old 2014 code could be true. Corporations unless forced to by a 3rd party just don't like to consider tech debt. Tech debt is updating software so it will be using LTS (long term support) code bases. simply it's like a company avoiding to upgrade from Windows XP because it's a waste of time and money unless a srd party partner makes them do it. Sometimes companies will just pay for old code updates by companies who do this. So imagine ABC Updating Company who will provide updates to XP so it stay marginally current.
When PCI, PII, and HIPA compliance is necessary, companies will fold and do the upgrades.
Corporations will actively not spend money just to stay current. Sometimes a new version of a coding language comes out and companies willfully ignore these updates and even use versions that don't even have security updates coming out.
2. code sniffers: Does the software that use will at least has been through developer level code checkers? It really only takes a few minutes to run tests.
3. code vulnerability 3rd party checkers: has the software that you use been verified by a 3rd party service like this? Comprehensive Cybersecurity and Exposure Management | Tenable®
These services are not cheap. tenable is likely on the cheap side.
4. Does the software that you use have a plugin system? Word Press does. How does your software validate the plugins?
Note:
IF the software that you use doesn't do number 1. then I highly it does 2 or 3. This is corporate fact.
Security checking is a pain. But needs to be done.
