There I Go Again…

…Saying stupid logical stuff [comments in brackets]:

But Pete Lindstrom, a director at research firm Spire Security, believes flaw finders are at the root of the conflict, not Oracle. "I really question the motives of the security researchers," he said. "They are techno-elitists requiring ego-stroking, and the end-users are caught in that crossfire." [what researchers really want is attention from the manufacturer and adulation from their peers - note I didn't say they want more secure software. Microsoft is the perfect case study there.]

Security researchers are purists who want every bug squashed, Lindstrom said. "Everyone else wants software that is secure enough — simply, that you have no compromises against vulnerabilities in the software. It is not that you eliminate all vulnerabilities from all software everywhere," he said. [Because eliminating all bugs by finding and fixing and never coding them to begin with is impossible. Say it with me: Impossible.]

Instead of helping security become more secure, the bug hunters are a burden, Lindstrom said. It is not true that criminal hackers are just behind them when it comes to uncovering bugs, he said. Instead, attacks always take advantage of bugs published by researchers, he said: "Maybe the good guys should stop finding bugs for the bad guys." [We have no basis for doing what we are doing for the good of security. This is clear.]

So, to be clear, here is my position:

  1. All software vendors should want to develop software with the least amount of bugs. Fixing bugs after deployment is expensive, both directly and indirectly.
  2. Bug hunting in the past was useful; today it is destructive because there are too many systems to attack.
  3. It is impossible to make bug-free software, and you couldn’t believe it if you did (if you are prudent and appropriately skeptical).
  4. The way to measure the security of software and to determine whether it is truly damaging is by identifying compromises of vulnerabilities that were previously unknown to the good guys.
  5. Good guys need to find alternatives to bughunting to secure software. There are plenty out there. The aftermarket is too random and too large to be helpful to enterprises.
  6. There is no reason to believe that we will find the same bugs that the bad guys do (if they are even looking).
  7. There is no reason to believe that we can find all bugs that exist (especially within the world’s codebase, because attackers can look anywhere they please).
  8. We can find unknown vuln exploits. We can protect ourselves.