> and how does finding/fixing bugs change that? are you saying that p0 > efforts resulted (or have a chance to result) in a *complete* extermination > of security bugs that affect a *single* layer at least? either that or > your bug squashing doesn't matter (for security).
I am fairly confident that many core components that we depend on have gotten a lot harder to compromise over the years; we are obviously not at a point where there are no bugs left (and we're certainly not at a point where optimal design practices or mitigation frameworks are bulletproof, either), but at least subjectively, I feel that at any given time, far fewer people would be able to compromise my web server than in the 90s, and far fewer are likely to have a 0-day exploit for my browser, compared to 2000s. Some of this comes down to mitigations, sandboxing, and better design practices - although their adoption by non-security engineers is driven largely by the cold and hard evidence of failures. And in my view, a lot of it also comes down just to relentless fuzzing and manual code audits. Now, of course, it's hard to truly quantify such opinions, and if you think otherwise, I think it's quite fine to disagree :-) >> I'm sure that neither you nor Brad are running 15-year old copies of >> Apache and OpenSSH, or browsing the web with Netscape Navigator, and >> then putting all your faith in containment frameworks. > > we don't run new software because of the security bugs fixed in them > but because that's how the whole stack evolves Interesting; so the knowledge of an RCE in OpenSSH would not factor into your decision to stay on a particular version? That sounds like a bold move. /mz _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
