Hacker News new | past | comments | ask | show | jobs | submit login

Most organizations with any sort of audit, insurance, or regulatory requirements do. Updating software is one of the most basic things covered by any security benchmark.



Maybe internally. If done externally, extorting your users to update their stuff, then it is clearly overstepping the boundaries. Creating awareness is good and necessary, but insisting on another entity, be it a user or another company doing something, because it is in your company's security benchmark, is inappropriate. Quickly silly things, that have no security benefit at all make it into that benchmark and are tried to be forced upon other entities. Suddenly a company will be interested in how you internally handle your SSH keys. Do you make new ones every 3 months? No sorry, every 4 months is too long for our security benchmark.


The possibility of something being done poorly doesn’t mean that it can’t be done more thoughtfully. For example, most banks will refuse to let you do online banking using IE6 or SSLv3 and pretty much everyone is okay with that because the risks are obvious.

That’s always the tradeoff you have to make since you’re balancing the benefits to the user and cost of development - customers do benefit if you can ship better things faster because you’re not held back by discontinued browsers. <dialog> might not be there quite yet but it’s close and if you already don’t support IE11 there’s an obvious appeal.


I think you've got a good point there. It would be good to come together at a table and discuss such things on an eye to eye level, between entities. Obviously not always possible for natural persons to all come together. Announcing things well ahead of time can go a long way, rather than suddenly dropping support from one day to the next.

What I would proprose then is, that companies should state their minimum security requirements to work with any other entity somewhere publicly available, so that it will not be something ad-hoc invented for some entity.

I have seen companies trying to treat smaller ones like some kind of supplicant entity, that one can push around and ask about interna, that could easily lead to the bigger company building a copy of the smaller company in a few months, since they got much more workforce to put to it, if they really wanted. Asking for things like "architecture diagrams". I am quite sure, that big companies will laugh you out of the room, if you asked them to provide same for their architecture.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: