This is an incredible resource for anyone looking into zeroday exploits and I'm happy to say that I helped with ithttp://www.rand.org/pubs/research_reports/RR1751.html …
-
Attempts to score vulnerabilities for severity are disconnected from the reality of exploiting them.pic.twitter.com/Km7mgW2Kuh
Defensive efforts to patch vulnerabilities have little effect on exploits. They usually die from unrelated code churn.pic.twitter.com/cVZRZwrVzQ
-
-
Many eyes (and open source) DO NOT make all bugs shallow. Linux among the highest life expectancy for exploits.pic.twitter.com/ILOUTqoPVi
-
AGAIN: efforts to patch or disclose your way to killing exploits don't work (*cough* Project Zero). Most die from code refactors.pic.twitter.com/tXF5rFI98J
- 12 more replies
New conversation -
-
-
so
@jwz 's "Cascade of Attention-Deficit Teenagers" is the new SDLC Best Practice, got it. https://www.jwz.org/doc/cadt.htmlThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
This analysis feels incomplete. Does the same hold for Chrome, that is under both constant refactoring and aggressive fuzzing?
-
Both rates of bug death causes seem likely to depend on investment in product dev vs bug finding, and are not necessarily correlated
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.