undefined | Better HN

0 pointsUncleMeat7y ago0 comments

What is "should have been preventable"? Mandatory continuous fuzzing of all apis? Interprocedural static analysis to detect all of the owasp top ten? Manual audits of all dependencies and transitive dependencies on every update? Hire world class auditors to manually inspect code?

I'm a huge security person. It's my job. But its unbelievably difficult to secure programs even if there are clear steps in hindsight that could have prevented a bug.

0 comments

AlexandrB7y ago

> What is "should have been preventable"? Mandatory continuous fuzzing of all apis? Interprocedural static analysis to detect all of the owasp top ten? ...

All of the above, possibly. Other engineering disciplines seem to have defined what constitutes due diligence just fine. This isn’t a novel problem.

It’s obviously not possible to make anything perfectly safe or perfectly secure. But it’s certainly possible to define a minimum amount of effort that must be put towards these goals in the form of best practices, required oversight, and paper trails.

Edit: Even “fuzzy” disciplines like law have standards for what constitutes malpractice or negligence when representing a client.

j / k navigate · click thread line to collapse