Date: Tue, 7 Oct 2014 18:11:10 +0800 From: Pavel Labushev <pavel.labushev@...box.no> To: oss-security@...ts.openwall.com Subject: Re: Thoughts on Shellshock and beyond Finding and fixing security bugs doesn't scale and doesn't even work. New bugs are being introduced all the time, together with or even by the code that fixes old bugs. And the more complicated and large a code base is, the worse. What works is recognising and eliminating whole bug _classes_, or deploying exploitation mitigation measures against them. But good luck convincing software developers they should do that, that they should learn something new, change their workflow, their toolchain, work on their discipline, change their priorities, consider external experts' opinions and generally "waste" their time on something as hardly measurable and conventionally "insignificant" as software security. Also, sometimes, to make some things considerably more secure instead of just participating in a cargo cult, you should literally replace things with something more thought, with better architecture and design, using more secure technologies and approaches, etc. But that's not how software development works in general, that's not how people want to spend their resources. And even Snowden's leaks didn't really change that. Thinking that there's some "reasonable" approach, like bug fixing or something, is just plain wrong, in the AV industry style. There are no "reasonable" approaches, the system is fscked up and it won't change so easily in any foreseeable future. To make some real difference, we should stop participating in the cargo cult of security bugs fixing, get the guts to admit that it doesn't work, and move on. Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.