On 26/11/15 17:13, Mike Hoye wrote: > Stillman wrote some new code and put it through a process meant to catch > problems in old code, and it passed. That's unfortunate, but does it > really surprise anyone that security is an evolving process? That it > might be be full of hard tradeoffs? There is a _huge_gap_ between "new > code can defeat old security measures" and "therefore all the old > security measures are useless".
But the thing is, members of our security group are now piling into the bug pointing out that trying to find malicious JS code by static code review is literally _impossible_ (and perhaps hinting that they'd have said so much earlier if someone had asked them). You can evolve your process all you like, but if something is impossible, it's impossible. And not only that, but attempting it seems to be causing significant collateral damage. > It's an even bigger step from there to > the implication that people working on this either haven't thought about > it already, or just don't care. I agree with that. Gerv _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
