This is an excellent list that is two decades over due, for some
> software and systems should be secure by design
That should be obvious. But nobody gets rich except by adding features, so this needs to be said over and over again
> This will never happen, so we need to utilize the find and patch technique,
Oh my giddy GAD! It is up to *us* to make this happen. Us. The find and patch technique does not work. Secure by design does work. The article had some good examples
> Most applications/systems are updated frequently, which means new vulnerabilities will be introduced.
That is only true when we are not allowed to do our jobs. When we are able to act like responsible professionals we can build secure software.
The flaw in the professional approach is how to get over the fact that features sell now, for cash, and building securely adds (a small amount of) cost for no visual benefit
I do not have a magic wand for that one. But we could look to the practices of civil engineers. Bridges do collapse, but they are not as unreliable as software
> The flaw in the professional approach is how to get over the fact that features sell now, for cash, and building securely adds (a small amount of) cost for no visual benefit
Because Capitalism means management and shareholders only care about stuff that does sell now, for cash.
> But we could look to the practices of civil engineers
If bridge-building projects were expected to produce profit, and indeed increasing profit over time, with civil engineers making new additions to the bridges to make them more exciting and profitable, they'd be in the same boat we are.
This is an excellent list that is two decades over due, for some
> software and systems should be secure by design
That should be obvious. But nobody gets rich except by adding features, so this needs to be said over and over again
> This will never happen, so we need to utilize the find and patch technique,
Oh my giddy GAD! It is up to *us* to make this happen. Us. The find and patch technique does not work. Secure by design does work. The article had some good examples
> Most applications/systems are updated frequently, which means new vulnerabilities will be introduced.
That is only true when we are not allowed to do our jobs. When we are able to act like responsible professionals we can build secure software.
The flaw in the professional approach is how to get over the fact that features sell now, for cash, and building securely adds (a small amount of) cost for no visual benefit
I do not have a magic wand for that one. But we could look to the practices of civil engineers. Bridges do collapse, but they are not as unreliable as software