[Kinrany]

It's clearly true: it's cheaper to prevent vulnerabilities than to find and exploit them.

[khafra]

"Defense vs Offense" is underspecified for this disagreement. Considering "defense" as the developers writing an application, and "offense" as the reverse engineers attempting to exploit it, defense may still be cheaper in some scenarios.

If you consider "defense" as an organization attempting to provide a service securely, and "offense" as all the security threats they are exposed to, it seems hard to argue that the defensive side has any sort of advantage over all of the attackers.

[topher_t]

Is it cheaper to find and prevent ALL vulnerabilities than to find and exploit ONE?

[paulryanrogers]

Does this assume a stable and relatively slow rate of change? Because at some scales I imagine preventing vulnerabilities could be equally difficult.