Thanks for the feedback. Actually, I think that the role of pentesting fits very well into a view of this. While doing an assessment, you can very easily articulate your findings into probabilistic phrases.
“Reasonable chance” has no hard quantitative definition to my knowledge and I realize I violated my own caveat of using Kent’s estimation language by saying that. So there’s really not a solid platform to discuss that because I messed that up by even using that language. :D
Edit: Turns out I don’t use that language? LMK what…
Maybe it’s a bit of a reach.
“Tell another company that we have good security and can enter a business relationship”
Seems very similar to:
“Tell another person I’m worth dating an can enter a personal relationship”
In both cases, that claim of being worth the effort, is pretty fragile and superficial.
I don’t feel like it is useful to critique the use of CloudFlare for this article specifically.
Once I start critiquing a person’s decision to use CloudFlare, I’m doing so without having any clue what made them decide to use it in the first place, or knowing what resources were available to them to use alternative…
Yep this is correct — I tried to articulate the “static site” which would be unlikely to have something like this, but I was unclear. I’ll modify
There’s truth to that, but it’s dangerous to consider it an acceptable amount of signal. There’s a whole universe of ways to surface security debt far before a potential customer does that work on your behalf with a penetration test.
It’s valuable for a company to aggressively mitigate vendor risk in the way you describe…