top | item 46840935

(no title)

ghurtado | 29 days ago

I have to assume you have never worked on security cataloging of third party dependencies on a large code base.

Because if you had, you would realize how ridiculous it is to state that app security can't be assessed until you have read 100% of the code

That's like saying "well, we don't know how many other houses in the city might be on fire, so we should let this one burn until we know for sure"

discuss

fasbiner|29 days ago

What you are saying is empirically false. Change in a single line of executed code (sometimes even a single character!) can be the difference between a secure and non-secure system.

This must mean that you have been paid not to understand these things. Or perhaps you would be punished at work if you internalized reality and spoke up. In either case, I don't think your personal emotional landscape should take precedence over things that have been proven and are trivial to demonstrate.

JasonADrury|28 days ago

> Change in a single line of executed code (sometimes even a single character!) can be the difference between a secure and non-secure system.

This is kind of pointless, nobody is going to audit every single instruction in the Linux kernel or any complex software product.

jokersarewild|29 days ago

It sounds like your salary has depended on believing things like a partial audit is worthwhile in the case that a client is the actual adversary.

charcircuit|29 days ago

Except Meta is not an adversary. They are aligned with people who want private messaging.