[acdha]

I’m feeling old remembering reading this at the time and being glad that it was getting pointedly directed to certain large vendors.

I think the key part of “penetrate and patch” is rejecting the idea that you can hire a tester, patch a couple of holes, and otherwise not change anything. It’s the difference between being _shocked_ that your C++ has another memory safety issue after someone exploits it or using tools like Rust, sandboxes, static analysis, etc. to avoid having an exploitable vulnerability in the first place.

The major confound here is that a lot of companies realized there aren’t actually many penalties for releasing unsafe software, and decided that throwing bodies at patching was cheaper. I’m reminded of how many antivirus programs had basically 90s-level C code running with system privileges because the owners decided it’d cost too much to rewrite it until Tavis Ormandy started fuzzing them. I doubt many customers switched despite clear evidence that those vendors had serious deficiencies in their development processes.