You can't tell me the complexity was testing either, because the tests are opensource and they literally just call it with rand() 1000 times. 
-
-
Replying to @taviso @mattaustin
A single example of a botched fix proves nothing. Sit on the other side contending with a report that is a symptom of a bigger design issue which will take 18 months to truly fix. That 90 day clock ends with a zero day about which user can do nothing. Not pretty
1 reply 0 retweets 2 likes -
Replying to @BrkSchoenfield @mattaustin
It proves plenty, it proves that vendors are willing to pull out any excuse to not fix vulnerabilities in a timely manner. I've been on both sides of the disclosure process, and see good reason to not just give vendors whatever they ask for.
2 replies 0 retweets 7 likes -
Replying to @taviso @mattaustin
That’s silly, “vendors”. Have you worked PSIRT for an honourable company? Do it for to see how tricky it can be. There are vendors I wouldn’t work for, ever (dishonest). And vendors who try really hard. Prioritizing isn’t easy, Tavis, it’s bloody difficult.
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
Of course I have. The vendor in this case is Microsoft, are they honourable? (Haha, your bio says IOActive, so I assume you're a Microsoft cheerleader
)2 replies 0 retweets 3 likes -
Replying to @taviso @mattaustin
we can learn a lot about the state of appsec ‘art’ from Microsoft. Far from perfect, true. Maddening sometimes. It’s that “state of art” where I want to put my energy cuz basically, we’re all beginners. My 20 years doesn’t make a “mature practice”.
1 reply 0 retweets 1 like -
Replying to @BrkSchoenfield @mattaustin
Remember to take a breath between gulps of that Kool-Aid, I don't want you to drown!
5 replies 0 retweets 4 likes -
Tavis & Matt are right. Forcing fixes does work. For them. Things that can’t be fixed w out breaking other functionality require extra time & care, but it can be done in less time than that. Dropping 0day reprioritizes internal teams’ focus tho, so it’s not w out consequences.
2 replies 3 retweets 11 likes -
Internal teams can respond to that reprioritization & additional work by adding resources instead of shooting the messengers with the whole “responsible” guilting language.
1 reply 2 retweets 6 likes -
And not only can this help evaluate whether adequate resources are assigned to deal with the situation that the organization has created for itself and its customers, it can also help inform changes to the SSDLC in order to reduce defect rates and resources in the future ...
1 reply 1 retweet 2 likes
It also provides an economic incentive to fix issues, why should a rational vendor spend resources rushing to fix bugs that customers don't know about, and therefore cannot interfere with purchase decisions, contract renewals, etc?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.