Gregory's Server
@stefano @maxinstuff NB: I don't have a strong urge to get into an XKCD 386 situation; I'm happy to just drop it.
That being said, I do observe deflection and diversion rather than acceptance.
While I agree that first level is, well, first level, and thus tied to tight scripts with little agency, a robust process must be designed to default to secure. As such "unless we can checkbox it we need to look more deeply" is usually the local maxima between time & cost efficiency and secureness.
@RichiH @stefano @maxinstuff If they knew anything about what they were auditing, they could have said “we understand that the VPN makes it difficult to access the server and exploit any security holes, but we need the underlying server to be compliant anyway, in case of anyone fumbling the VPN”, and then when they didn’t understand the version/OS differences, said “write us a couple of lines justifying why this is compliant, and we’ll send it for evaluation and archiving”.