undefined | Better HN

0 pointsjacquesm4mo ago0 comments

Sorry, but that had me laughing out loud.

No, they haven't.

I should know, I check those companies for a living. This is one of the most often flagged issues: unaudited Node.js dependencies. "Oh but we don't have the manpower to do that, think about how much code that is".

0 comments

DamonHD4mo ago

When I last looked (as a consulting dev in a bank or three, horrified) absolutely they had not!

cluckindan4mo ago

If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53.

If they haven’t, it would be ethically dubious for you to not report it.

jacquesmOP4mo ago

In theory there is no difference between theory and practice, but in practice there is.

> If they haven’t, it would be ethically dubious for you to not report it.

I can report all I want, someone needs to act on that report for it to have an effect.

There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit.

1 more reply

drw854mo ago

In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy.

DamonHD4mo ago

These were all multinationals, with very significant US presence.

j / k navigate · click thread line to collapse

0 pointsjacquesm4mo ago0 comments

Sorry, but that had me laughing out loud.

No, they haven't.

0 comments

DamonHD4mo ago

When I last looked (as a consulting dev in a bank or three, horrified) absolutely they had not!

cluckindan4mo ago

If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53.

If they haven’t, it would be ethically dubious for you to not report it.

jacquesmOP4mo ago

In theory there is no difference between theory and practice, but in practice there is.

> If they haven’t, it would be ethically dubious for you to not report it.

I can report all I want, someone needs to act on that report for it to have an effect.

There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit.

1 more reply

drw854mo ago

In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy.

DamonHD4mo ago

These were all multinationals, with very significant US presence.

j / k navigate · click thread line to collapse