Software complexity in most companies has exploded. Nobody is doing anything to try reduce or manage complexity so it's only getting worse. The more complexity there is, the easier it is to find vulnerabilities.
>>Nobody is doing anything to try reduce or manage complexity so it's only getting worse.
I disagree, I see a number of large corporations starting to standardize either 1) their entire development stack from IDE all the way to how the code is deploy 2) Reengineering entire languages to have one language be used e.g Quartz at BofA 3) at the very least, companies are starting to standardize their middleware stacks, to at least avoid the configuration related issues of having a development team managing that.
While I do agree, that the complexity of third party libraries has exploded and is increasingly difficult to manage, I'd say companies are well on their way to standardizing that, with tools like Nexus, SonaType, Blackduck, etc.
We're obviously a long ways away from being even 75% effective across the board, but to say nobody is managing the complexity is a bit short sighted :)
We're trying to address this. If you've got sometime I'd really like to compare notes on this and learn how you guys work day-to-day. We're leveraging Osquery to asses the various aspects of systems to try and build threat models where risk cascades as systems change. To help facilitate automated reporting. Alongside the traditional mundane cybersecurity day-to-day activities.
