Discussion Invite: The "Good Guys" vs The Malicious Craftworkers

It seems, to me, the Mac platformers, as well as the purveyors of the popular non-Apple web browsers have been busier than bees the last couple years, reacting to security threats.

Almost everybody’s got the every-other-day-Adobe-style security fix syndrome.

This stuff is pretty well over my head, and I’m barely qualified to even ask these questions

That being said, Q: Is there much work going on to proactively subvert the subverters and purveyors of Malicious Craft… or are we in a permanent state of reaction, counter-punch, and catch up

Just based on observations when reading about security updates to Apple OS and apps, there are far more that appear to be proactive than those that indicate “Apple is aware of a report that this issue may have been actively exploited.”

In my job I get to visit many software development organizations. Security is always a concern that varies with the software under development (e.g., game vs. medical device). However, security is a very young discipline for most software development groups. As an industry, security isn’t at the same level of focus as delivering features to users.

The other problem for security is that modern software products are tremendously complicated. Code bases are routinely in the million of lines and just one can cause a security breach. Code bases are frequently a combination of multiple teams efforts. Assumptions on one team may not match another opening up a possible breach. Changes to software outside of your control but you interface with can open up a breach.

So, while the proactive is getting better, there is currently and in the near future a huge need for reactive work as well.

These days, the majority of security exploits in software come from third-party libraries included with the main product. The current CVE with log4j is a good example of this.

While using third-party libraries cuts down on initial development time, over-reliance on them can, and often does, lead to problems with licensing; existing code in the main program breaking when the library get updated; code bloat; dependency conflicts; and the possibility that the library will become unsupported.

These are the things that many developers fail to consider when trying to get a product out the door.

No doubt for the next couple weeks there will be more discussion on the topic at various forums.

I guess I am also curious, while not exactly the focus here in a forum such as this,
where are “we” in terms of tracking, preventing, prosecuting … the bad guys in all of this