oss-sec mailing list archives
Re: Thoughts on Shellshock and beyond
From: Pavel Labushev <pavel.labushev () runbox no>
Date: Tue, 7 Oct 2014 18:11:10 +0800
Finding and fixing security bugs doesn't scale and doesn't even work. New bugs are being introduced all the time, together with or even by the code that fixes old bugs. And the more complicated and large a code base is, the worse. What works is recognising and eliminating whole bug _classes_, or deploying exploitation mitigation measures against them. But good luck convincing software developers they should do that, that they should learn something new, change their workflow, their toolchain, work on their discipline, change their priorities, consider external experts' opinions and generally "waste" their time on something as hardly measurable and conventionally "insignificant" as software security. Also, sometimes, to make some things considerably more secure instead of just participating in a cargo cult, you should literally replace things with something more thought, with better architecture and design, using more secure technologies and approaches, etc. But that's not how software development works in general, that's not how people want to spend their resources. And even Snowden's leaks didn't really change that. Thinking that there's some "reasonable" approach, like bug fixing or something, is just plain wrong, in the AV industry style. There are no "reasonable" approaches, the system is fscked up and it won't change so easily in any foreseeable future. To make some real difference, we should stop participating in the cargo cult of security bugs fixing, get the guts to admit that it doesn't work, and move on.
Attachment:
_bin
Description:
Current thread:
- Thoughts on Shellshock and beyond Hanno Böck (Oct 07)
- Re: Thoughts on Shellshock and beyond Loganaden Velvindron (Oct 07)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 07)
- Re: Thoughts on Shellshock and beyond Hanno Böck (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)
- Re: Thoughts on Shellshock and beyond Loganaden Velvindron (Oct 07)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 07)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond Tim (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 07)
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 07)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 07)