
Security: better to be proactive or reactive? - andersonmvd
https://dadario.com.br/security-better-to-be-proactive-or-reactive/
======
daenney
> However this way you will focus on fixing only real world attacks. Still,
> it's somewhat a shameful thing to put vulnerable applications on production
> and rely solely on bug hunters to find bugs before attackers. Shameful
> because of the disrespect with customer data and your own data / reputation.
> In the end it's still insecure. Bug hunters should only be considered "an
> extra help" and nothing else.

Shameful? Sure, if you know about the vulnerabilities. But in most case
they're honest human mistakes that make it out to production or because we've
failed to educate people on properly securing their web apps and properties in
general. And that sucks. And sometimes these bugs live on for years. But
calling it shameful is rather harsh and it doesn't improve any of it either.
If anything it makes people feel crappy over it.

~~~
andersonmvd
Thanks for commenting, daenney.

> Shameful? Sure, if you know about the vulnerabilities. Maybe from a non-
> secure mindset you're right, but my point is about strategies for a security
> program. And it also has another problem, without prior checks you'll end up
> paying much more money. Facebook and Google paid millions already, but that
> amount would be much higher if they didn't check for vulnerabilities in
> their home.

Talking about security strategies, you don't really need to know about the
vulnerabilities in order to consider this very act "shameful". It's just that
you're lacking due diligence. You shouldn't blindly trust bug hunters as a
single mechanism to reduce the number of bugs.

