Comment by tosapple
20 days ago
Why did you edit out the third paragraph about finding a single exploit on target being slanted against having to secure a whole system?
20 days ago
Why did you edit out the third paragraph about finding a single exploit on target being slanted against having to secure a whole system?
What I said was true but after thinking about it a bit more, I wasn't sure how material it was to my argument after considering additional factors.
There are other nuances which may offset the asymmetry a bit; for example the security analyst generally has much more visibility over the company's code than the hacker does.
That said, I stand by my original point because I think that building secure systems is really hard; it's much more effort per unit of functionality to build the system correctly (and doing that for every part of it) than it is to crack it (by finding a single hole).
On the side of defense, you need to understand a lot of nuance about how your system works and how parts interact to make it secure; any neglect can potentially be a critical vulnerability which can compromise the entire system.
On the side of offense, sometimes mindless prodding can uncover a critical vulnerability. The intelligence/thinking requirement is lower; it's more about knowledge than thinking.
For example, there are some special payloads which you can send which may pose a problem for different systems built by different companies because the companies share the same underlying engine or they fell victim to the same footgun. I think this aspect is much more important than my previous argument.