[sneak]

I think it's "don't use parsers written in unsafe languages".

[NetMageSCW]

All languages are unsafe. Some just make it less obvious.

[yard2010]

Treat every input as an attack vector.

[fg137]

I think it's simpler: don't touch untrusted content unless/until you need to.

[marysol5]

But that just moves it from 0-touch, to 1-touch (which is of course better).

But users are morons.

We STILL NOW, have people getting phished and pwning their employers.

[olyjohn]

Let's think about why that happens though

We all go through that stupid phishing training. They give us a list of red flags to help determine if an email is legit.

Then the next day, the CTO sends out an email that says IMPORTANT and the only text body says PLEASE READ THE ATTACHED .DOCX FILE. This is exactly what we were just trained not to open, but its from some exempt C-level who didn't have time to take the training, and all he is now doing is training the employees to open mails that look like phishing.

[saagarjha]

Alas, there are a lot of things that you need to touch that are untrusted.

[stavros]

That's easy, and already done. Phones only touch untrusted content when they need to, it's just that they need to touch it immediately upon receipt