[WEB SECURITY] Great article outlining a core issue with many in the security community
Steven M. Christey
coley at rcf-smtp.mitre.org
Mon Feb 14 09:47:13 EST 2011
On Sun, 13 Feb 2011, Michal Zalewski wrote:
> I'm not sure we're "losing" any more than ten years ago - there is
> more PR and community exposure, but perhaps that's it? But we might be
> fighting the wrong battle to begin with.
I believe that software by many popular vendors/services is, in general,
more "objectively" secure than it was 10 years ago - in terms of having
fewer vulnerabilities, and a much smaller percentage of "obvious"
vulnerabilities that (generally) require more human effort to find. Bug
bounties and Pwn2Own are symptoms of that. But, maybe the day-to-day
threat has changed much more rapidly, and the attack surface is much
greater than it was 10 years ago. So, the "operational" security may have
declined in that time.
Admittedly, we still regularly see brand-new software classes start off
with the same old security issues. "Secure-by-design" has a longer way to
go than avoiding implementation bugs.
More information about the websecurity