Once a security bug exists in your customer's networks, preventing a security breach involves a lot of moving parts, but most importantly:
Identi...
For further actions, you may consider blocking this person and/or reporting abuse
Great article!
I think there is another step between 2 and 3 though. Namely the time it takes for the team to find out about new vulnerabilities and their fixes.
This is actually something I'm working on with IsMyDependencySafe.
It's currently under development, so there are still some issues. And I'd like to build a notification feature, to bring that time down to almost 0.
I totally agree with you that automatic updates should be used whenever possible. But what do you say to people who argue that updates might break something?
A stupid, but kind of possible, example would be an application that relies on a bug of the underlying software, and stops working when that bug is fixed.