Dailydave mailing list archives

Re: software security, disclosure, and bug bounties

From: Dave Aitel <dave () immunityinc com>
Date: Tue, 25 Nov 2014 14:28:58 -0500

The "Bugs don't matter" mantra is probably a standard side effect of
people trying to outlaw exploits. Sadly, these people are weirdly doing
so within the auspices of civil liberties.

Of course, it is hard to disagree that the fuzzing and work you've been
doing on FFMPEG and friends is not going to have an impact (I decline to
say positive or negative here ;>). However, it is possible that
something like the Linux/Windows/Hypervisor-of-your-choice Kernel is
beyond the reach of this sort of behavior. 

-dave

On 11/24/2014 5:46 PM, Michal Zalewski wrote:

Yes; to be perfectly clear - I sent my response somewhat hastily, but
I am not arguing that good design practices, system-level mitigations,
or secure-by-default coding frameworks do not matter. In fact, in many
cases, they matter more than finding bugs.

I can say this from experience; in all the places I worked at so far,
the only scalable way to do security was to make it hard for
developers to shoot themselves in foot; fuzzing and bug-hunting is
added as a cherry on top, but not as a substitute for having a
competent security program to start with.

On the flip side, I am somewhat unhappy by the "bugs don't matter"
mantra that is making rounds within the industry over the past few
years. The claim that finding individual bugs in suspected-bad
software is a waste of time seems like an extension of that.

I think that arguments like that ignore the complex realities of
"commodity" software engineering (including the sometimes wobbly
foundations everybody is building on top of), and the fact that the
mitigations at our disposals are often imperfect or difficult to
retrofit. I also feel that bug-hunting in less-robust software
generally isn't as expensive as portrayed, can take out the
low-hanging fruit pretty comprehensively and immediately, and provides
a more fertile ground for systemic improvements later on.

So, in my view, the value of squashing individual bugs, even in
something like ffmpeg, is pretty clear.

/mz
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

software security, disclosure, and bug bounties Dan Guido (Nov 23)
- Re: software security, disclosure, and bug bounties Michal Zalewski (Nov 24)
  - Re: software security, disclosure, and bug bounties Mathias Payer (Nov 24)
    - Re: software security, disclosure, and bug bounties Michal Zalewski (Nov 25)
    - Re: software security, disclosure, and bug bounties Dave Aitel (Nov 25)
- <Possible follow-ups>
- software security, disclosure, and bug bounties Dan Guido (Nov 24)