"Well, you can certainly tell who the folks are that are skimping on security and resilience by not using us because they are the ones who are still operational."
Crowdstrike. Probably.
@th3j35t3r
Serious question: Given this latest disaster from CrowdStrike and previous ones from SolarWinds and other such security providers, why are so many companies continuing to rely on them? I can appreciate the scope of managing a huge number of systems, but when one breach, poisoned update, or just plain bad patch takes down a huge chunk of national or international infrastructure, when will these orgs finally look to other solutions? #cososec
@th3j35t3r
Are there independent security contractors who can handle organizations this large? Because to me, that would be preferable.
What's happening now seems like the infosec equivalent of these large companies all investing a huge amount of their assets in the same stock, and trusting that it will stay stable.
@voltronic @th3j35t3r @White_Rabbit no company will pay what it requires to fully test all of the software they deploy. Even NASA admitted they shipped code with bugs that threatened human life, simply because they couldn't afford to. That said, Capitalism ensures that the absolute least amount of testing will be done. This current outage will be generally forgotten in a week and CrowdStrike will survive it, so apparently Capitalism ... works? Kind of?
@Spartan @voltronic @th3j35t3r @White_Rabbit Back in the day in IT in a Fortune 50 healthcare company, I wrote business cases & cost-benefit analyses for infrastructure & appdev. My corporate overlords knew damn well when cost-cutting would potentially impact patient outcomes, but very few cared enough to fight for adequate funding. Pure greed. When you are assessed on cost cutting over everything else, it's in your self-interest to roll the dice on someone else's life.
@th3j35t3r @White_Rabbit
I also wonder if CrowdStrike et al thoroughly test all patches on dev mirrors of their client installs before pushing them out. I realize that takes time and is not free, but I would think that's part of what you're paying these companies to do, to make sure that anything pushed out to operational systems is clean and solid.