If security is a circus, who are the clowns?
Linus Torvalds complains to Ellen Messmer about the "security circus" he sees. Linus is talking about the constant friction between the disclose immediately versus "responsible disclosure" crowd. While I agree that the when to disclose arguments get tiresome, the long pole in the tent of this circus are the clowns who do a lot of the coding for the products that we use.
With the pressure of getting out code on time and on budget, there are just too many vulnerabilities in the products we rely on. Racing to get the next greatest feature in this release or that must have functionality that was promised to the customer, too often pushes security and bullet proof code into the shadows. Then when someone finds the all too often holes in the code, somehow the people finding it are wrong?
Yes, it would be much better if the whole disclosure timing thing went away. I don't think that will ever happen. But if we had more quality control around code, perhaps it would not be so acute. So, when talking about the circus, instead of blaming the security people, maybe take a good look at the clowns.
Comments