Time to Take the Theoretical Seriously

Chris Wysopal, CTO of Veracode, has an article on the double-edged sword of vulnerability research and disclosure. Here are a few quotes:
The hope that no one is willing, or no one is able, to implement an attack is not a security strategy.
[...]
Yet, the necessity of demonstrating such attacks before the vulnerabilities are fixed is dangerous, both for Internet users and for researchers. By raising the amount of work required for researchers to get their voices heard it makes it all the more likely attackers will build the tools first.
Src: Time to Take the Theoretical Seriously | SecurityFocus [Tx @ioerror]

No comments: