I am in the process of transitioning to a new ISSO position. The current ISSO responded that I didn’t understand DevSecOps because I asked about their history of exploits. This seems very unusual to me. First of all much of their infrastructure is legacy client server on hardware with some servers virtualized.
I am not so familiar with cloud-native environments so I did a little research. Which is a possible alternative for an updated system. Not surprisingly, I found critical vulnerabilities with remote access vulnerabilities within cloud-native software architectures.
I wonder what other pros think of the existing ISSO’s response to my question?
It’s always interesting when people say you don’t understand x,y,z.
I usually agree with them, professing to try us understand very little(this is a truth, so I’m on extremely solid ground here) and ask them to explain, then is as is normal with folk who tell people they don’t understand I’ll use Kipling’s six honest serving men or point out where there are tautologies/fallacies etc. Most of the time you can refine understanding together.
In this case the person who said that there was an absolute negation of exploits... well that’s hardly credible and to your point easily falsifiable. In fact it’s so unusual for a security conscious person to leave themselves open with a statement like that I’d be very interested in their rationale for this position.
You are right on the point. Having been an auditor for many years and having successfully prosecuted many frauds, I tend to be quiet and gather information until I feel comfortable in my assessment. I still lack a lot of knowledge of my system because I cannot access the documentation. More importantly, I am lacking knowledge of two important cultures: my employer's and my client's. Thanks for answering.