Jeremiah Grossman · Sep 30, 2021 · 1:31 AM UTC

Jeremiah Grossman

Jeremiah Grossman @jeremiahg

30 Sep 2021

What’s more likely to get hacked: code that’s 10 years old or 1 year old? What code gets more attention in appsec: code that's 10 years old or 1 year old? See the problem?

Bil Corry · Sep 30, 2021 · 1:48 AM UTC

Bil Corry · Sep 30, 2021 · 1:48 AM UTC

Bil Corry @bilcorry

30 Sep 2021

Replying to @jeremiahg

If 10-year-old code is still in production, it’s often orphaned with no one who owns it. I’ve had to beg devs to fix it with the caveat that if they break something, it’s my fault. (** not at my current employer **)

Sep 30, 2021 · 1:48 AM UTC

Jeremiah Grossman · Sep 30, 2021 · 3:11 AM UTC

Jeremiah Grossman @jeremiahg

30 Sep 2021

Replying to @bilcorry

Yes indeed, and this is a good example of why this is area that contains the vast majority of the risk.

Bil Corry · Sep 30, 2021 · 3:26 AM UTC

Bil Corry @bilcorry

30 Sep 2021

One of the least talked about steps in the SDL is the sunsetting and eventual decommissioning of the product. No one gets in trouble for kicking this can down the road, largely because they’re no longer with the company. That’s why having product owners is so important.

more replies