Dailydave mailing list archives
Re: software security, disclosure, and bug bounties
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 25 Nov 2014 14:28:58 -0500
The "Bugs don't matter" mantra is probably a standard side effect of people trying to outlaw exploits. Sadly, these people are weirdly doing so within the auspices of civil liberties. Of course, it is hard to disagree that the fuzzing and work you've been doing on FFMPEG and friends is not going to have an impact (I decline to say positive or negative here ;>). However, it is possible that something like the Linux/Windows/Hypervisor-of-your-choice Kernel is beyond the reach of this sort of behavior. -dave On 11/24/2014 5:46 PM, Michal Zalewski wrote:
Yes; to be perfectly clear - I sent my response somewhat hastily, but I am not arguing that good design practices, system-level mitigations, or secure-by-default coding frameworks do not matter. In fact, in many cases, they matter more than finding bugs. I can say this from experience; in all the places I worked at so far, the only scalable way to do security was to make it hard for developers to shoot themselves in foot; fuzzing and bug-hunting is added as a cherry on top, but not as a substitute for having a competent security program to start with. On the flip side, I am somewhat unhappy by the "bugs don't matter" mantra that is making rounds within the industry over the past few years. The claim that finding individual bugs in suspected-bad software is a waste of time seems like an extension of that. I think that arguments like that ignore the complex realities of "commodity" software engineering (including the sometimes wobbly foundations everybody is building on top of), and the fact that the mitigations at our disposals are often imperfect or difficult to retrofit. I also feel that bug-hunting in less-robust software generally isn't as expensive as portrayed, can take out the low-hanging fruit pretty comprehensively and immediately, and provides a more fertile ground for systemic improvements later on. So, in my view, the value of squashing individual bugs, even in something like ffmpeg, is pretty clear. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- software security, disclosure, and bug bounties Dan Guido (Nov 23)
- Re: software security, disclosure, and bug bounties Michal Zalewski (Nov 24)
- Re: software security, disclosure, and bug bounties Mathias Payer (Nov 24)
- Re: software security, disclosure, and bug bounties Michal Zalewski (Nov 25)
- Re: software security, disclosure, and bug bounties Dave Aitel (Nov 25)
- Re: software security, disclosure, and bug bounties Mathias Payer (Nov 24)
- Re: software security, disclosure, and bug bounties Michal Zalewski (Nov 24)
- <Possible follow-ups>
- software security, disclosure, and bug bounties Dan Guido (Nov 24)