Reply to post: Re: analysis paralysis

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Drew Scriver

Re: analysis paralysis

I'm all for independent auditors, but I've come across my share of corrupt and/or incompetent auditors. Example: web event registration application that used /errorlog.txt to record every possible piece of information, including credit card number, expiration date, cardholder name, and CVV-code. The PCI-DSS auditor (independent fairly well-known company) signed off on it.

Also, in my entire IT-career (going back to the 90s) I have NEVER seen an auditor asking the grunts any questions. In my experience the average admin/engineer knows about a bunch of issues, but they never get cataloged formally. Even communicating them up the chain tends to do nothing more than making oneself hated across all tiers in the company.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon