Both are real risks. But supply chain attacks exist whether you self-host or not... you're still running the vendor's code either way. The question is whether you also want that code to stay up to date and properly managed, or drift silently.
I agree that keeping things up to date is a good practice, and it would be nice if enterprise CISOs would get on board with that. One challenge we've seen is that other aspects of the business don't want things to be updated automatically, in the same way a fully-managed SaaS would be. This is especially true if the product sits in a revenue generation stream. We deal with "customer XYZ is going to update to version 23 next Tuesday at 6pm eastern" all the time.
This is true even with fully-managed SaaS though. There are always users who don't want the new UI, the changed workflow, the moved button. But the update mechanism isn't really the problem IMO, feature flags and gradual rollouts solve this much better than version pinning
Sure. I'm just saying in the context where fully-managed SaaS was already decided not to be an option, and a customer is deploying vendor code in their environments, the update mechanism can in fact be a problem. It's not just poor CISO management.
No it would not work. TLS protects against replay attacks by design, the same response (or query) in clear text will not look the same in encrypted traffic
I could imagine a leadership or viewpoint change in how they reported when/what was down.
I've seen so many times where Company A will complain that their vendors aren't accurate enough about uptime and how Company A notices first that their vendors are down, but then they themselves have a very laggy or inaccurate status page.
We want our vendors to be accurate to the minute on these, but many CTOs don't care to admit when they too have problems.
The attacker went through the hassle to compromise a very widely used package, but use a non standard port (8000) on their C2...
If you plan to do something like that, use 443 at least, many corporate network do not filter this one ;)
Not the OP, but it's pretty useful in my team, we all work on the same environment, with the same system dependencies, with no setup required on development machine (except the need for docker).
In the devcontainer you can run code snippets, use the system shell and access an execution environment close to production if well made.
It also allows to avoid (system) dependency conflicts between different projects you may work on.
As companies grow, they tend to move away from subjective performance reviews like that and toward more objective metrics. Otherwise, it's too easy for personal politics to contaminate the promotion process. Employees are incentivized to find whichever manager will give them 5 star reviews no matter what, and managers are incentivized to be that guy, because then they have access to the best employees. When a company is small, and everyone knows everyone, this is not an issue. But when 90% of the company is a stranger to you, you need more objective metrics to rely on.
I believe they already provided "Standard traceroute example", "Flyingroutes example (with protocol breakdown)" and "MTR example (with packet loss and timing statistics)".
reply