[WEB SECURITY] Great article outlining a core issue with many in the security community

Steven M. Christey coley at rcf-smtp.mitre.org
Mon Feb 14 09:47:13 EST 2011


On Sun, 13 Feb 2011, Michal Zalewski wrote:

> I'm not sure we're "losing" any more than ten years ago - there is
> more PR and community exposure, but perhaps that's it? But we might be
> fighting the wrong battle to begin with.

I believe that software by many popular vendors/services is, in general, 
more "objectively" secure than it was 10 years ago - in terms of having 
fewer vulnerabilities, and a much smaller percentage of "obvious" 
vulnerabilities that (generally) require more human effort to find.  Bug 
bounties and Pwn2Own are symptoms of that.  But, maybe the day-to-day 
threat has changed much more rapidly, and the attack surface is much 
greater than it was 10 years ago.  So, the "operational" security may have 
declined in that time.

Admittedly, we still regularly see brand-new software classes start off 
with the same old security issues.  "Secure-by-design" has a longer way to 
go than avoiding implementation bugs.

- Steve




More information about the websecurity mailing list