- No one at the organization understands or is responsible for maintaining the code.
- Features are prioritized ahead of security fixes.
- Affected code is owned by an unresponsive third-party vendor.
- Website will be decommissioned replaced "soon".
- Risk of exploitation is accepted.
- Solution conflicts with business use case.
- Compliance does not require it.
- No one at the organization knows about, understands, or respects the issue.
Saturday, May 02, 2009
8 reasons why website vulnerabilities are not fixed
Some reasons I've heard over the years. In no particular order...