...Or you could fix the software.

Josh Beckett

One of the fundamental realities of security is dealing with vulnerabilities.  In the industry, we have become so jaded to the fact that software makers simply don't want to go to the trouble and expense of churning out secure code that we have just learned to 'abide.'  Consequently, we come up with elaborate ways to measure vulnerabilities and concoct Wile E. Coyote style mitigation plans to bring the risk down to an acceptable level.

Occasionally, I'm reminded that my permanently security-tainted skepticism needs a bit of a challenge to my comfortable position that there is no real security, there is only incident response.  We continue to fight a losing war and resign ourselves to try harder tomorrow.  With nation-states throwing their hats and ample wallets into the ring and anonymously buying bugs and exploits and expecting it to not be reported to the software vendor or public, it seems all is lost.

...or you could fix the software.

Occasionally, I am reinvigorated by the fact that someone else out there cares.  In a war without borders and the traditional bad guys and the traditional good guys seem to be on the same side...against the rest of us; there are very few events to help you keep your thin grasp on your faith.  Why do I keep fighting when no one else seems to care?

Well, someone else joining the fray to fix the software lends one more grain of sand on the side of the scale that is so heavily outweighted.

I'll try to ignore the fact that was pointed out in the Matrix: it is still one system built on top of another system, which was never conceived to be secure, and take a deep and cleansing breath and sleep in my cold and wet cyber foxhole tonight and wade back into it again tomorrow.

*update*
Unrelated story, but two nuggets of intelligent thinking in security rules is just too good to pass up.  My position has always been that if it were truly dangerous, they wouldn't let you have it in your possession.  The on/off issue is just cruft and the linked article accurately and intelligently addresses everything else.  My security cup runneth over....

No comments :

Post a Comment