What’s more likely to get hacked: code that’s 10 years old or 1 year old? What code gets more attention in appsec: code that's 10 years old or 1 year old? See the problem?
11
6
1
27
If 10-year-old code is still in production, it’s often orphaned with no one who owns it. I’ve had to beg devs to fix it with the caveat that if they break something, it’s my fault. (** not at my current employer **)
1
1
Yes indeed, and this is a good example of why this is area that contains the vast majority of the risk.
1
Replying to @jeremiahg
One of the least talked about steps in the SDL is the sunsetting and eventual decommissioning of the product. No one gets in trouble for kicking this can down the road, largely because they’re no longer with the company. That’s why having product owners is so important.

Sep 30, 2021 · 3:26 AM UTC

1
Replying to @bilcorry
Yeah, for some reason very few of the SDL diagrams include EOL.
1
I noticed that too. I figured it was people reducing their workload. If we assume we're only ever improving the product, then we don't have to do the work to determine what happens at EOL. And if it should happen on our watch, we'll figure it out then.