Can we get a quick feeling from security tool users on if keeping up to date (and avoiding vulns) or only updating b/c of vulns is their primary desire
What’s this issue all about?
Can we get a quick feeling from security tool users on if keeping up to date (and avoiding vulnerabilities) or only updating b/c of vulnerabilities s is their primary desire.
I need a quick sense inside and outside of our wider community to decide which direction to go.
What questions are you trying to answer?
Which is more important to security tool users:
- Knowing what dependencies are outdated and have newer versions available (even if there is no vulnerability related incentive to upgrade) because it is good hygiene to stay up to date (and just avoid security vulnerabilities as a result of good hygiene).
- Knowing if any dependencies have a known (published) vulnerability, and remediation of that ASAP.
What assumptions do you have?
Users need to know about vulnerabilities because the business won't allot time for technical debt / ongoing maintenance.
What decisions will you make based on the research findings?
We will decide where to invest the most head-count and time in Gemnasium per conversation https://docs.google.com/document/d/1pWP7pbSeoKwpcQ4lHAQ-wdpOhWuEVrNEl96Kq0ljYkY/edit#
- in knowing the lastest dependency and if you have it
- in knowing vulnerable dependencies and offering auto-remediation (pre-tested dependency update MRs)
What's the latest milestone that the research will still be useful to you?
ASAP