For years I have been saying variations upon a theme of:
There are no new security bugs, there are merely ever-more-complex re-incarnations of the same classes of bug.
…and that pretty-much every security bug ever described eventually collapses down to being one of a small number of common fault-categories that you need to be really pointlessly anal to want to refine any further – eg:
Question: is a buffer overflow really not just an instance of excess of privilege in that you are not meant to have the privilege to that data space?Choice of Answers:
- Yes.
- No.
- Maybe.
- I’m trying desperately to remember what is said on page 657 of “Pass Your Professional Security Certification in 24 hours!” so that I can agree with the author – who, incidentally, is the same guy who wrote the certification exam….
- Huh?
- Who cares? It’s a bug, just fix it!
What follows from my assertion that there are never any really new security holes, is that there are never any really new ways of security hole defence, most of them collapsing to one/more forms of isolation, detection, interruption, remediation, or (best) prevention.
But what is new and sexy in the world of security amongst my peers?
Apparently not merely whining that it’s all been done, been done before but also that people are so stupid that they don’t realise this!
[www.avolio.com] [honor.icsalabs.com] [www.avolio.com] [www.avolio.com] [www.avolio.com]
I love you guys, but, well, duh:
- ignorance of security is a steady state amongst the masses, and the masses increase, daily.
- journalists tell people to fear things.
- journalists, through the media, talk to many people at once.
- we tell people how to make things better.
- we, being constrained, can either only preach to the converted, or try to pick and choose our battles.
- no software will ever be written that is implementationally and operationally 100% secure, so we will always have work to do.
- nothing will ever change this.
- at least we get paid.
Leave a Reply