Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Oct 2014 18:11:10 +0800
From: Pavel Labushev <>
Subject: Re: Thoughts on Shellshock and beyond

Finding and fixing security bugs doesn't scale and doesn't even work.
New bugs are being introduced all the time, together with or even by the
code that fixes old bugs. And the more complicated and large a code base
is, the worse.

What works is recognising and eliminating whole bug _classes_, or
deploying exploitation mitigation measures against them. But good luck
convincing software developers they should do that, that they should
learn something new, change their workflow, their toolchain, work on
their discipline, change their priorities, consider external experts'
opinions and generally "waste" their time on something as hardly
measurable and conventionally "insignificant" as software security.

Also, sometimes, to make some things considerably more secure instead
of just participating in a cargo cult, you should literally replace
things with something more thought, with better architecture and design,
using more secure technologies and approaches, etc. But that's not how
software development works in general, that's not how people want to
spend their resources. And even Snowden's leaks didn't really change

Thinking that there's some "reasonable" approach, like bug fixing
or something, is just plain wrong, in the AV industry style. There are
no "reasonable" approaches, the system is fscked up and it won't change
so easily in any foreseeable future. To make some real difference, we
should stop participating in the cargo cult of security bugs fixing,
get the guts to admit that it doesn't work, and move on.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.