Of course nothing is going to change because of this. We didn't make any real changes after Heartbleed or Shellshock, this isn't nearly as bad, it's business as usual.
Trying to force change isn't the important part though. The important thing to think about is the context this bug exists in. The folks who work on OpenSSH are some of the brightest security minds in the world. We're talking well above average here, not just bright. If they can't avoid security mistakes, is there any hope for the normal people?
The answer no.
What do we do now?
For the moment we will continue to operate just like we have been. Things aren't great, but they're not terrible. Part of our problem is things aren't broken enough yet, we're managing to squeak by in most situations.
The next step will be developing some sort of tribal knowledge model. It will develop in a mostly organic way. Long term security will be a teachable and repeatable thing, but we can't just jump to that point, we have to grow into it.
If you look at most of the security conference content today it sort of falls into two camps.
For the moment we will continue to operate just like we have been. Things aren't great, but they're not terrible. Part of our problem is things aren't broken enough yet, we're managing to squeak by in most situations.
The next step will be developing some sort of tribal knowledge model. It will develop in a mostly organic way. Long term security will be a teachable and repeatable thing, but we can't just jump to that point, we have to grow into it.
If you look at most of the security conference content today it sort of falls into two camps.
- Look at my awesome research
- Everything is broken and we can't fix it
Both of these content sets are taught by magicians. They're not really teaching knowledge, they're showing off. How do we teach? Teaching is really hard to do, it's not easy to figure out.
Many people believe security can't be learned, it's just sort of something you have. This is nonsense. There are many possible levels of skill, there is a point where you have to be especially gifted to move on, but there is also a useful place a large number of people can reach.
Perhaps the best place to start is to think about the question "I want to learn security, where do I start?"
I've been asked that many times. I've never had a good answer.
If we want to move our industry forward that's what we have to figure out. If someone came to you asking how to learn security, we have to have an answer. Remember no idea is too crazy, if you have thoughts, let's start talking about it.
Join the conversation, hit me up on twitter, I'm @joshbressers