Remember Linus's Law?
-
Remember Linus's Law? While it was never really true, there are now A LOT of people looking for vulnerabilities with LLMs, and they're finding vulnerabilities EVERYWHERE
While Linus's Law was clearly nonsense, this is creating an increase in vulnerabilities the world is completely unprepared to deal with
What happens if we have a million CVEs every year?
Linus's Law, but vulnerabilities
given enough eyeballs, all bugs are shallow – Linus’s Law A long time ago we thought Linus’s Law was a real thing and it was why open source was better than closed source. It seems pretty accepted now that Linus’s Law wasn’t ever really a thing. It’s far more likely the reason a lot of open source was pretty good is because the authors were worried someone WOULD look and judge them if the code looked like crap. We all have dark corners of private GitHub repos that are the code equivalent of a festering boil.
Open Source Security (opensourcesecurity.io)
-
R relay@relay.infosec.exchange shared this topic
-
Remember Linus's Law? While it was never really true, there are now A LOT of people looking for vulnerabilities with LLMs, and they're finding vulnerabilities EVERYWHERE
While Linus's Law was clearly nonsense, this is creating an increase in vulnerabilities the world is completely unprepared to deal with
What happens if we have a million CVEs every year?
Linus's Law, but vulnerabilities
given enough eyeballs, all bugs are shallow – Linus’s Law A long time ago we thought Linus’s Law was a real thing and it was why open source was better than closed source. It seems pretty accepted now that Linus’s Law wasn’t ever really a thing. It’s far more likely the reason a lot of open source was pretty good is because the authors were worried someone WOULD look and judge them if the code looked like crap. We all have dark corners of private GitHub repos that are the code equivalent of a festering boil.
Open Source Security (opensourcesecurity.io)
-
@liw hi5!
-
Remember Linus's Law? While it was never really true, there are now A LOT of people looking for vulnerabilities with LLMs, and they're finding vulnerabilities EVERYWHERE
While Linus's Law was clearly nonsense, this is creating an increase in vulnerabilities the world is completely unprepared to deal with
What happens if we have a million CVEs every year?
Linus's Law, but vulnerabilities
given enough eyeballs, all bugs are shallow – Linus’s Law A long time ago we thought Linus’s Law was a real thing and it was why open source was better than closed source. It seems pretty accepted now that Linus’s Law wasn’t ever really a thing. It’s far more likely the reason a lot of open source was pretty good is because the authors were worried someone WOULD look and judge them if the code looked like crap. We all have dark corners of private GitHub repos that are the code equivalent of a festering boil.
Open Source Security (opensourcesecurity.io)
@joshbressers maybe.... fix them slowly, and write new code more slowly, carefully, and deliberately?
-
Remember Linus's Law? While it was never really true, there are now A LOT of people looking for vulnerabilities with LLMs, and they're finding vulnerabilities EVERYWHERE
While Linus's Law was clearly nonsense, this is creating an increase in vulnerabilities the world is completely unprepared to deal with
What happens if we have a million CVEs every year?
Linus's Law, but vulnerabilities
given enough eyeballs, all bugs are shallow – Linus’s Law A long time ago we thought Linus’s Law was a real thing and it was why open source was better than closed source. It seems pretty accepted now that Linus’s Law wasn’t ever really a thing. It’s far more likely the reason a lot of open source was pretty good is because the authors were worried someone WOULD look and judge them if the code looked like crap. We all have dark corners of private GitHub repos that are the code equivalent of a festering boil.
Open Source Security (opensourcesecurity.io)
A million CVEs is gonna look like rookie numbers in 3-5 years. The quantity of vulnerabilities will increase with the quantity of code and that's ballooning now.
Thing is, any pentester or appsec person could have told you this stuff is there and has been forever. It's occult knowledge basically; hidden because nobody's actually been looking.
The reckoning here isn't that this is creating some unbeatable tide of new problems, it's that for years people have refused to foundationally build in secure design and development practices in our education for any kind of programmer, developer, or architect. Pushing left is the only reliable way to turn this tap off - prevent the mistakes as or before they're made. Instead, the industry has collectively decided to build tap opening automation at grand scales.
"Oh no we've defended our appsec program" is basically where loads of companies are.
Look to climate change for how well we're goanna handle this.
-
@joshbressers maybe.... fix them slowly, and write new code more slowly, carefully, and deliberately?
@hyc While I would love to see this, I suspect that ship sailed a long time ago
-
A million CVEs is gonna look like rookie numbers in 3-5 years. The quantity of vulnerabilities will increase with the quantity of code and that's ballooning now.
Thing is, any pentester or appsec person could have told you this stuff is there and has been forever. It's occult knowledge basically; hidden because nobody's actually been looking.
The reckoning here isn't that this is creating some unbeatable tide of new problems, it's that for years people have refused to foundationally build in secure design and development practices in our education for any kind of programmer, developer, or architect. Pushing left is the only reliable way to turn this tap off - prevent the mistakes as or before they're made. Instead, the industry has collectively decided to build tap opening automation at grand scales.
"Oh no we've defended our appsec program" is basically where loads of companies are.
Look to climate change for how well we're goanna handle this.
@fennix Agreed!
It's going to be a very silly couple of years
-
Remember Linus's Law? While it was never really true, there are now A LOT of people looking for vulnerabilities with LLMs, and they're finding vulnerabilities EVERYWHERE
While Linus's Law was clearly nonsense, this is creating an increase in vulnerabilities the world is completely unprepared to deal with
What happens if we have a million CVEs every year?
Linus's Law, but vulnerabilities
given enough eyeballs, all bugs are shallow – Linus’s Law A long time ago we thought Linus’s Law was a real thing and it was why open source was better than closed source. It seems pretty accepted now that Linus’s Law wasn’t ever really a thing. It’s far more likely the reason a lot of open source was pretty good is because the authors were worried someone WOULD look and judge them if the code looked like crap. We all have dark corners of private GitHub repos that are the code equivalent of a festering boil.
Open Source Security (opensourcesecurity.io)
@joshbressers What if most of them are bullshit?
