Oh fantastic to hear @riskybusiness and @metlstorm say it out loud.
Securityscorecard and similar scoring services are a very coarse proxy for the state of security at a company.
I recently spent many emails and meetings trying to explain to a customer why our low score due to mostly a few services missing accepting older tls and missing security http headers is not a sign we don't take security seriously. And that the outdated version of software A (which we have many of and was a big contributor to the low score) , while not optimal is not a priority because of how we use it and the mitigations we have in place.
In the end it was easier to remove the version from the header than to get them to accept that the security scoring service was wrong in this case.
Also the whole business of how they force you to get a proper view of why your score is bad does not seem like an ethical business practice either.
https://overcast.fm/+AAIt0hlU9MU/24:49
=> More informations about this toot | View the thread | More toots from gnyman@infosec.exchange
=> View riskybusiness@infosec.exchange profile | View metlstorm@infosec.exchange profile
text/geminiThis content has been proxied by September (ba2dc).