|
|
|
|
|
|
by closeparen
1071 days ago
|
|
|
Something I've been mulling over for a while: security vulnerabilities are basically the original developers getting outsmarted, caught out being careless. Even a very skilled, careful team might ship bugs that have security implications. But low-skilled, careless teams are definitely doing this. All buggy software is also vulnerable. There is no such thing as low-quality but secure. |
|
|
This is absolutely not true. Security vulnerabilities can be due to a huge variety of reasons well beyond "the developer is outsmarted/careless". A great example of this was unicode related issues. Also, changing API/ABI surfaces.
And, we think of security vulnerabilities as "bugs" that cause "hacks", but sometimes vulnerabilities come in the form not in a technical hack, but attacks on users.
Sometimes, the developers know there's an issue, but the business forces them ahead anyways and takes on the risk. I've dealt with a few of those.
It's counterproductive to put it firmly on the developers, but I do agree that technical security issues and quality issues are tightly intertwined.