Yes; to be perfectly clear - I sent my response somewhat hastily, but I am not arguing that good design practices, system-level mitigations, or secure-by-default coding frameworks do not matter. In fact, in many cases, they matter more than finding bugs.
I can say this from experience; in all the places I worked at so far, the only scalable way to do security was to make it hard for developers to shoot themselves in foot; fuzzing and bug-hunting is added as a cherry on top, but not as a substitute for having a competent security program to start with. On the flip side, I am somewhat unhappy by the "bugs don't matter" mantra that is making rounds within the industry over the past few years. The claim that finding individual bugs in suspected-bad software is a waste of time seems like an extension of that. I think that arguments like that ignore the complex realities of "commodity" software engineering (including the sometimes wobbly foundations everybody is building on top of), and the fact that the mitigations at our disposals are often imperfect or difficult to retrofit. I also feel that bug-hunting in less-robust software generally isn't as expensive as portrayed, can take out the low-hanging fruit pretty comprehensively and immediately, and provides a more fertile ground for systemic improvements later on. So, in my view, the value of squashing individual bugs, even in something like ffmpeg, is pretty clear. /mz _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
