Penetrate and patch is bad

• Avoid in-the-wild analysis (by bad guys)

  • too late
  • patches ignored
  • patches have holes

• Create architectures with security in mind

  • external assessment
  • sound engineering

• Identify and manage security risks

• Patches are attack maps

“…any program, no matter how innocuous it seems, can harbor security holes. … I thus have a firm belief that everything is guilty until proven innocent.”

-Steve Bellovin

Previous slide

Next slide

Back to first slide

View graphic version