Comment by UweSchmidt
12 hours ago
Maybe it's time to take a closer look at reality and correct this meme, which might casually blur the issue and deflect responsibility?
Looking at the IT security landscape we see every layer, every product category if not every product itself riddled with issues at one point or another. At the same time the incentives to put those security issues in are huge, and we know attackers work systematic, creative and persistent to introduce those weak points.
Security is hard and many bugs certainly happen due to mistakes, but I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.
So I would go with “Never attribute to ignorance that which is adequately explained by malice.”
> I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.
The saying doesn’t mean that all vulnerabilities are blunders. It means we shouldn’t automatically assume vulnerabilities are nefarious.
If closer inspection proves beyond reasonable doubt that it was placed there deliberately and maliciously then that’s different.
But the point is most vulnerabilities are blunders so it’s better to assume that until proven otherwise.