On Sun, Aug 4, 2024 at 11:22 AM Rich Pieri <richard.pi...@gmail.com> wrote: > > On Sat, 3 Aug 2024 22:05:49 -0400 > Bill Bogstad <bogs...@pobox.com> wrote: > > > I think it is basically because the industry has convinced itself > > that bugs are inevitable and there is no way to mitigate those bugs > > becoming security problems. Back in the 90s, I found security > > fascinating; but when I realized that nobody had any interest in > > actually doing anything more than dealing with this week's problem, I > > decided that wasn't a career path I wanted to follow. > > It's not that nobody has that interest. It's that perfect security is > impossible either in the physical world or the digital realm: the > attacker always has the advantage over the defender. We do what we can > think of to prevent compromise but we understand that the attackers can > try all of the things we *didn't* think of or the tiniest of mistakes > we make. So we also do what we can to detect, contain and mitigate > compromise. It's very much whack-a-mole, solving the endless string of > this week's problem.
Did I say that I wanted perfection? In text that you removed, I asserted that there are known techniques that would stop whole classes of programming bugs from becoming security bugs. I didn't make it completely clear, but they could be implemented in compilers so little or no programmer time would be required. They would slow down programs by something like 5-10%. Does anybody do this?, not as far as I know. Our priorities seem to be organized into something like this: time to market, features, performance, pretty UIs, price (i.e. development cost), .......... , security. We would have a whole lot fewer moles to whack if we changed our tools. I would argue that we would probably improve debugging (development) costs as well because bugs would be found and fixed a lot more easily. To be fair, it seems like the techniques to do this have not really gotten into commercial development systems even as an option. So maybe I should blame the people who write compilers rather than the software industry as a whole. At least we both agree that we are in a whack-a-mole situation. I just think things could easily be a lot better than they are. -- Bill Bogstad bogs...@pobox.com _______________________________________________ Discuss mailing list Discuss@driftwood.blu.org https://driftwood.blu.org/mailman/listinfo/discuss
