Regarding "patching is hard, you've never patched a production system" hot takes
https://blog.cryptographyengineering.com/2017/09/15/patching-is-hard-so-what/ [blog.cryptographyengineering.com]
2017-09-15 22:51
The key point is that once you’ve baked this cake, you’d better be willing to eat it. If your system design assumes that application servers will not contain critical vulnerabilities — and you don’t have resilient systems in place to handle the possibility that they do — then you’ve implicitly made the decision that you’re never ever going to allow those vulnerabilities to fester.
Also on the twits: https://twitter.com/matthew_d_green/status/908707591840296961
Agree with the punchline: If you can’t patch struts in a reasonable manner, then you can’t put struts in the critical path for system security.
source: green