It’s not security debt, it’s just general technical debt.
I would also say, that this is just technical debt. I also fully understand, that there are things like breaking changes. I remember clearly when we used asyncore in the past for Python at work and then it became deprecated. It was still possible to use it for a long time, but a change was needed. Such breaking changes caused work and are not nice. Especially if it is a big software.
On the other side, I am not happy if I buy software or hardware, which has probably insecure dependencies. I understand the developers, I am also one, and I know that many things are not under their control. I am also not blaming them. But it is a no-go if something new is sold with 10-year-old OpenSSH Server, 15-year-old curl or other things.
But I am not taking exotic vulnerabilities that seriously. Like, if you need specific constellations, so this is somehow hackable.
Mischala@lemmy.nz 8 months ago
Generally a regular issue is much less likely to get you hacked.
Security issues often come with legal liability which is why a bad security department will act overly important and stomp around demanding changes be made right the fuck now.
But I do get it, a good security team should be enabling their dev teams to solve issues in the heat disruptive way possible, not just thrown them work and barking orders.
In some places I have worked, the sec teans will find an issue and push PRs to fix them, explaining the security concern, and requesting only a review and merge.