Dailydave mailing list archives
Re: Twitter: (verb) to fail under exponential growth
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 01 Jul 2008 17:50:58 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Eng wrote: | Oh come on, you know the answer to that. Because things break. Same | reason people don't run WAFs in prevent mode, same reason IPS isn't more | popular. Source/binary tools could patch automatically, in theory, but | in order to measure whether it broke something, you have to have an | extremely robust regression suite. My thought is this, to avoid getting into the specifics than annoy everyone: People tend to think they can "manage" their networks or their application security, but their management skills are scaling linearly and the problem is scaling exponentially and they can only throw money at it for so long. When people talk about a "self-healing network" what they mean is "we can't afford to manage exponentially growing problems - those problems have to manage themselves". Of course, Immunity does offense, not defense, and I'm having to translate here from my native language. Where you want a self-healing network, we are creating a self-attacking network, and so on. Having looked at the problem of exponential growth from the attacker's side, I'm trying to posit the defender's part of the issue. Marc Maiffret says """ Because we have tools that can already pinpoint code problems but companies are too lazy to care to get them fixed. """ I don't think it's because they're too lazy at all. I think it's because the understanding I need to have of the whole system to fix that one bug grows exponentially with the size of the system. Every year we write bigger and bigger systems which means the bugs get exponentially larger and at some point the cost of fixing any one bug is larger than we care to take on. Specific to application security, yes, things will break if you automatically patch them, but this is true of humans patching things as well. Patching a vulnerability depends on knowing what it is. For some values of "know" this process is trivial, and for some it's not. I think it's a very automatable problem, either in the binary or in the source. The only way to really argue the "can do" side is to do it, of course. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIaqbCtehAhL0gheoRAg+LAJ0W5jmkba9eGT+252Yk035DbmvvTgCdEtU6 7Z0D5nuCGFmCiNFtOolxz+w= =Bg0c -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Twitter: (verb) to fail under exponential growth Dave Aitel (Jul 01)
- Re: Twitter: (verb) to fail under exponential growth Trygve Aasheim (Jul 02)
- Re: Twitter: (verb) to fail under exponential growth Paul Melson (Jul 02)