security out of thin air

I feel so much pity – and sometimes anger – when an exploit is found on some software and you can feel the smugness of security professionals while the poor developer have to scramble and get out a fix as soon as possible.

The security professional’s job is all fun and pretty easy. They just run automated scripts, compile a report, send it to the client and – poof – money out of thin air*. They only report (much of them false positives), they don’t have to fix. I’m willing to bet that the vast majority of security professionals wouldn’t be able to fix it themselves and that if they did, it would still have security issues. Maybe not now, but eventually.

It’s because writing code securely is incredibly hard – even for a security professional. If a developer had to handle all the exploitable cases, they wouldn’t be able to ship any kind of feature.

So to the security professionals that feel all high and mighty because there’s an exploit, just remember, you owe your livelihood to the developer that you label “stupid” or “idiot”. Developers come up of things out of thin air, you’re lucky you get to profit off of it.

Nothing is secure; only nothing is secure.

*The Mission Impossible-esque heist? Yeah, happens once in a while but far from their bread and butter.