|
|
|
|
|
|
by nikster
1724 days ago
|
|
|
Reading the OA, I also believe that there's a wide variety of technical detail that could be the cause of, say, not responding. Maybe the reports get to the tech teams, the tech team figures out that this bug will definitely be caught by the static analyzer, and they have other more pressing issues. The main problem today IMO is that the incentives for finding and actively using exploits are much higher than the incentives for fixing them, and certainly much higher than building secure code that doesn't have the issues in the first place. After all, nobody will give you a medal for delivering secure code. They will give you a medal for delivering a feature fast. |
|
|
I’ve worked at some of the largest financial institutions and they spend billions on security every year to achieve something slightly better than average. Building products with a step function increase in security would incur costs in time and energy and flexibility that very few would be willing to pay.