Conversation

OK, I want to rant about something for a bit

This story from @BleepingComputer cover the topic of top most dangerous #security #vulnerabilities from 2021/2022

https://www.bleepingcomputer.com/news/security/mitre-releases-new-list-of-top-25-most-dangerous-software-bugs/

The problem isn't the story, the story is good

The problem is these lists

MITRE is a group that runs #CVE, the host the MITRE ATT&CK framework, #CWE is under their umbrella, and countless other things related to security

#OWASP has a similar list and they are considered one of the primary authorities on secure development

And what do these lists show us? That nothing changes. The lists are the same every year. A few things might move around, but functionally we have the same security problems we did a decade ago, heck, 20 years ago.

These are groups that can hand out advice that will be followed, and what do they give us? Nothing of substance

The secret is because they have no idea how to change anything

I think there are two overly simplistic ways to look at this

First, we have the security the free market demands. There's nothing to fix, these lists are all stupid and pointless. It's just ego stroking for organizations that don't actually matter but want to pretend they are relevant.

The people running these groups have no idea what to do. Many haven't written a line of code in over a decade, and rather than try to work with the next generation, they make lists and complain

I have no grand solution, I'm just complaining. And I'm old. So clearly I fit in the second category. Thank you for coming to my conference talk. I should probably go make a list now

Public

Notices

Feeds