fsebugoutzone.org:9999

       Post AXBzyEHDLVIPSk32lE by Asymmetricblue@mastodon.social
 (DIR) More posts by Asymmetricblue@mastodon.social
 (DIR) Post #AXBsJi6gpk1oQYrDpw by joshbressers@infosec.exchange
       2023-06-29T16:43:12Z
       
       0 likes, 0 repeats
       
       OK, I want to rant about something for a bitThis story from @BleepingComputer cover the topic of top most dangerous #security #vulnerabilities from 2021/2022https://www.bleepingcomputer.com/news/security/mitre-releases-new-list-of-top-25-most-dangerous-software-bugs/The problem isn&#39;t the story, the story is goodThe problem is these listsMITRE is a group that runs #CVE, the host the MITRE ATT&amp;CK framework, #CWE is under their umbrella, and countless other things related to security#OWASP  has a similar list and they are considered one of the primary authorities on secure developmentAnd what do these lists show us? That nothing changes. The lists are the same every year. A few things might move around, but functionally we have the same security problems we did a decade ago, heck, 20 years ago.These are groups that can hand out advice that will be followed, and what do they give us? Nothing of substanceThe secret is because they have no idea how to change anythingI think there are two overly simplistic ways to look at thisFirst, we have the security the free market demands. There&#39;s nothing to fix, these lists are all stupid and pointless. It&#39;s just ego stroking for organizations that don&#39;t actually matter but want to pretend they are relevant.ORThe people running these groups have no idea what to do. Many haven&#39;t written a line of code in over a decade, and rather than try to work with the next generation, they make lists and complainI have no grand solution, I&#39;m just complaining. And I&#39;m old. So clearly I fit in the second category. Thank you for coming to my conference talk. I should probably go make a list now
       
 (DIR) Post #AXBsJimWKDUMWIQd2O by ParadeGrotesque@mastodon.sdf.org
       2023-06-29T17:32:31Z
       
       0 likes, 0 repeats
       
       @joshbressers I believe the secret is this: - We know what to do.- We know how to do it.- Doing things right takes a long time.- We have no incentive (read: REGULATIONS and PENALTIES) to do things right.- It is way more profitable to do things wrong, and patch later, than to do things right in the first place.Therefore nothing changes, and computer security is shite. QED.
       
 (DIR) Post #AXBzyEHDLVIPSk32lE by Asymmetricblue@mastodon.social
       2023-06-29T17:56:51Z
       
       0 likes, 0 repeats
       
       @joshbressers @ParadeGrotesque I disagree with your first 2 points, but agree with the rest.The majority of companies are small businesses, typically with small budgets, and people wearing multiple hats. Therefore I suspect that the average programmer does not  know what to do or how to do it. They don’t get paid training or mentoring, etc.
       
 (DIR) Post #AXC7GyfYIVT0EpJpmy by ParadeGrotesque@mastodon.sdf.org
       2023-06-29T20:20:08Z
       
       0 likes, 0 repeats
       
       @Asymmetricblue Even small companies can do a good job.Even small companies know how to do a good job.As a matter of fact, some very small companies do a much better job writing secure and stable software than large ones.@joshbressers
       
 (DIR) Post #AXCH887gmJ8uUgtpjc by Asymmetricblue@mastodon.social
       2023-06-29T20:35:53Z
       
       0 likes, 0 repeats
       
       @ParadeGrotesque I don’t disagree with “can”. I don’t disagree that some small software and SaaS companies do.However, there are tons of small non-technical companies that write “software” to support their operations that are clueless. Your manufacturers, and non-SaaS service companies, non-profits, small retail, etc.@joshbressers is right that tooling without sharp edges helps here, to a point.