From information security analyst Joshua Goller, the “Tarksi-Gendlin Litany of Information Security”:
What is vulnerable to exploitation is already so; facing it doesn’t make it worse, and ignoring it doesn’t make it secure. Because it’s vulnerable, it is what is there to be attacked, and anything not found to be vulnerable isn’t there to be hacked (yet). The developers can stand to know what is exploitable, for they unknowingly wrote it to be exploited, and the users can stand to know what is insecure, for they are currently using it insecurely. If the software contains an exploitable bug, I desire to believe that the software contains an exploitable bug. If the software does not contain an exploitable bug, I desire to believe that I haven’t found any exploitable bugs in it yet, And I had better keep looking. Let me not become attached to beliefs I may not want.
If the software does not contain an exploitable bug, I desire to believe that I haven’t found any exploitable bugs in it yet, And I had better keep looking.
This part seems like a mistake. If this component actually does not contain an exploitable bug, my time would be better spent looking for exploitable bugs in other components. Otherwise I can never audit the whole code base.
From information security analyst Joshua Goller, the “Tarksi-Gendlin Litany of Information Security”:
This part seems like a mistake. If this component actually does not contain an exploitable bug, my time would be better spent looking for exploitable bugs in other components. Otherwise I can never audit the whole code base.
Yes. Also, if there is no exploitable bug, then I would want to believe that, not merely that I haven’t found any yet.