Move it off server 2008.
I wish that was not a discussion we had with a customer.
“The business critical software we’re using is not supported on 2012 or later”
That excuse works until you mention cyber insurance and suddenly a budget appears to get everything upgraded.
It gets worse.
Sometimes the software update is free. All it needs is a half dozen VMs spun up (in an environment of 1500+) and an approved change window to migrate the current version to new servers, and then another window to update. But your request for new VMs gets back burnered for close to a year because there’s still production machines on unsupported OSes.
Then a very large breach of the software in question happens while you’re on vacation.
By sheer luck, the outdated version is not affected. But suddenly it’s super important to upgrade to the latest version NOW. So you end up spending the next few days of vacation splitting your time between defending yourself, re-explaining the situation to “tech” VPs and up that are total frauds, and dealing with top level vendor support because migrating software and OS versions at the same time is not recommended. And then spending a nice relaxing overnight with one of their top engineers doing what was supposed to be an involved but routine process over multiple change windows, but is instead 9 hours of “this should work, guess we’ll find out” sphincter-clenching Leroy Jenkins action, in which the top-level engineer was needed more than once to fix something. All this while flying blind on a 2000+ node network because the software you had to emergency update without any guardrails (aside from snapshots) is the network monitoring software. Hell of a thing to back-burner, but I didn’t run the company that got sold for several billion so what do I know?
Oh, and three months later you get denied a merit raise because Covid and “nobody” got a raise.
So fucking glad to be rid of that toxic shithole.
During my time working in IT for a power grid provider, it was challenging to find patch windows due to the critical nature of their services.
That probably means there wasn’t a good testing process for patching and there wasn’t adequate redundancy. In theory, if a patch breaks one server it shouldn’t matter.
In reality, patch testing stacks up and gets behind and redundancies are rarely tested. That is expensive, time consuming work which probably isn’t worth the time of someone who is already underpaid and overworked. And fuck! If patch and redundancy testing ever breaks anything prod for whatever reason, the person who was testing everything gets blamed and fired so nobody is going to volunteer for that.
And what, spend money on something that will save us even more money down the line? You fool, I won’t be working at this company by then!
Use a static site generator instead of Wordpress.
I’m a programmer that doesn’t know all that much about cybersecurity beyond the basic.
What do you guys think of AI pentesting? Is it made completely redundant by tools or is it going to be a viable strategy for pentesting?
As with most things, I expect it’ll help the guys who know what they’re doing do their thing faster and more efficiently.
I don’t expect it to replace nor be a effective substitute for a properly trained pen tester.
It might be helpful to developers to fast track security testing, but I think there’s already a wide array of “non-AI” tools that accomplish that? Don’t know a lot about how it.couod affect that side of things.