It sounds like the extent of the risk here is that a user may extend a security group with a change to block some malicious traffic or close off a vulnerable service, then assume they're protected from it without double-checking.
It sounds like the extent of the risk here is that a user may extend a security group with a change to block some malicious traffic or close off a vulnerable service, then assume they're protected from it without double-checking.