← Back to context Comment by DamonHD 2 months ago When I last looked (as a consulting dev in a bank or three, horrified) absolutely they had not! 6 comments DamonHD Reply cluckindan 2 months ago If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53.If they haven’t, it would be ethically dubious for you to not report it. jacquesm 2 months ago In theory there is no difference between theory and practice, but in practice there is.> If they haven’t, it would be ethically dubious for you to not report it.I can report all I want, someone needs to act on that report for it to have an effect.There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit. cluckindan 2 months ago But the aforementioned NIST standard requires a lot more from auditing and operations. 1 reply → drw85 2 months ago In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy. DamonHD 2 months ago These were all multinationals, with very significant US presence.
cluckindan 2 months ago If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53.If they haven’t, it would be ethically dubious for you to not report it. jacquesm 2 months ago In theory there is no difference between theory and practice, but in practice there is.> If they haven’t, it would be ethically dubious for you to not report it.I can report all I want, someone needs to act on that report for it to have an effect.There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit. cluckindan 2 months ago But the aforementioned NIST standard requires a lot more from auditing and operations. 1 reply → drw85 2 months ago In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy. DamonHD 2 months ago These were all multinationals, with very significant US presence.
jacquesm 2 months ago In theory there is no difference between theory and practice, but in practice there is.> If they haven’t, it would be ethically dubious for you to not report it.I can report all I want, someone needs to act on that report for it to have an effect.There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit. cluckindan 2 months ago But the aforementioned NIST standard requires a lot more from auditing and operations. 1 reply →
cluckindan 2 months ago But the aforementioned NIST standard requires a lot more from auditing and operations. 1 reply →
drw85 2 months ago In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy.
If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53.
If they haven’t, it would be ethically dubious for you to not report it.
In theory there is no difference between theory and practice, but in practice there is.
> If they haven’t, it would be ethically dubious for you to not report it.
I can report all I want, someone needs to act on that report for it to have an effect.
There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit.
But the aforementioned NIST standard requires a lot more from auditing and operations.
1 reply →
In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy.
These were all multinationals, with very significant US presence.