← Back to context

Comment by natebc

2 hours ago

Oh i've worked with plenty. Maybe they knew more than they let on but they were (and are) convinced that every little belch is a full on attack.

I know their day to day is just as mundane as the rest of ours it's their "Step 1" approach that i've seen to be entirely different. I assume it's probably a software bug, they assume it's an exploit.

> I assume it's probably a software bug, they assume it's an exploit.

They're not mutually exclusive.

I suspect you and the security team are arguing the same thing but with different terminology.

When vulnerabilities (which, in the vast majority of cases, are accidental) are published, or when static analysis tools review code, you'll get a description and a severity score. That description will broadly describe how, if possible, that vulnerability can be exploited.

Working for an in-house security team basically just means you're a risk assessor. And the way you assess risks is to look at the potential consequences of those risks. Which means looking at how bugs can be exploited.

But none of this means those vulnerabilities were placed in the code intentionally and with malice. It just means that someone else who is malicious could, theoretically, exploit those vulnerabilities. And if the risk of that is greater than the risk appetite of the business (as will typically be the case), then they'll feedback to you that there is an exploitable vulnerability that you need to patch.