Root Cause: HAIRBALL Systems Design
Too many people in Software Engineering still think they need the latest and greatest third-party library in their projects. Nah - a dozen of them !
So they have
+ TLS mumbo-jumbo, so complex nodboy gets it right (non exploitable bugs) for a decade.
- OpenSSL with 400k Lines of Code and probably 10000 exploitable bugs. Nobody bothered to find them for a decade
- Apache Struts with 280k Lines of Code and lots of exploitable bugs. Also, decade-old exploitable stuff in there.
- Linux kernel with 11 million lines of Code and exploitable bugs in things like gethostbyname()
So, what to do ?
I suggest to radically rethink what we do and go for much leaner and easy-to-understand/easy-to-analyze systems. E.g.
+seL4 OS(https://github.com/seL4/seL4) with just 40k lines of code ! Attempted correctness proof.
+MST crypto library(https://github.com/DiplIngFrankGerlach/MST) with less than 1k lines of code at the core
+ INRIA CompCert C compiler(http://compcert.inria.fr/download.html) - 90k lines of code and correctness proven.
And if that is "too technical" for the manager types, they should better educate themselves on the subject.
Biting the hand that feeds IT
