Thread regarding Optum layoffs

@bh The tools they are enforcing for scanning are garbage. Constant false positives, and a 'guilty until proven innocent' mentality. It seems like I'm always stuck in 'maintenance' mode, because my pipelines randomly fail due to some new false positive scan alert which blocks the build from completing and pushing.

The ESRO team is also great at deflecting. You join their calls to address a false positive, and they may direct you to another team that has nothing to do with it, or ask you to send an email to them to take it offline. Problem is, they never respond to that email in several cases I've tried. It seems like their primary focus is to get off the office hours call as quickly as possible with as few as possible action items on their side.

Security is great, but to use products which are obviously not ready for this level of enterprise usage is frustrating. Probably just went with the cheapest option available.

@OP how about just code securely. It's been around for ohhhhh more than 20 years now. Why are you working on vulnerabilities when code should be secure-by-design.

ESRO is not influenceing the company for secure coding, the CTO, shareholders, board and all the customers want and need secure code which is professional grade code.