undefined | Better HN

0 pointstptacek26d ago0 comments

Then why didn't they?

0 comments

4 comments · 2 top-level

kimixa26d ago· 2 in thread

I think the real point is they didn't - until it became a "marketing" thing for another company who did it for them.

A lot of these issues would be highlighted by "legacy" (pre-AI) analysis tools. The issue is that they weren't being run.

tptacekOP26d ago

Why not? We're talking about vulnerabilities with real market value here. If it was just a tool run, why weren't the tools run?

Isn't the simpler explanation that they weren't just a tool run?

firesteelrain26d ago

The tools are expensive. One of the major players in the market have really expensive licensing fees. Then the developers all need to be trained on how to use the tools and understand the results. It’s not something they teach effectively in schools.

Software engineering is still kind of new overall.

3 more replies

Someone26d ago

Could be any (combination) of

- looking at components in isolation, not realizing that a component could receive untrusted input

- looking at the entire system, but not in a configuration that made the CVE possible

- having to be extremely lucky to find the issue through fuzzing, and Apple not hitting that jackpot

- having found the issue in testing, but incompletely/incorrectly fixing it

- mostly focusing testing on other components because this one’s code didn’t change and hadn’t seen issues in years

I don’t think we have enough info to know which (or something entirely different) it is.

j / k navigate · click thread line to collapse