SoylentNews is people
SoylentNews
The National Vulnerability Database (NVD) is a US government-funded resource that does exactly what the name implies-acts as a database of vulnerabilities in software. It operates as a superset of the Common Vulnerabilities and Exposures (CVE) system, operated by the non-profit Mitre Corporation, with additional government funding. For years, it has been good enough—while any organization or process has room to be made more efficient, curating a database of software vulnerabilities reported through crowdsourcing is a challenging undertaking.
Risk Based Security, the private operator of competing database VulnDB, aired their grievances with the public CVE/NVD system in their 2018 Vulnerability Trends report, released Wednesday, with charged conclusions including "there is fertile grounds for attorneys and regulators to argue negligence if CVE/NVD is the only source of vulnerability intelligence being used by your organization," and "organizations are getting late and at times unreliable vulnerability information from these two sources, along with significant gaps in coverage." This criticism is neither imaginative, nor unexpected from a privately-owned competitor attempting to justify their product.
In fairness to Risk Based Security, there is a known time delay in CVSS scoring, though they overstate the severity of the problem, as an (empirical) research report finds that "there is no reason to suspect that information for severe vulnerabilities would tend to arrive later (or earlier) than information for mundane vulnerabilities."
(Score: 4, Insightful) by TheFool on Thursday February 28 2019, @04:06PM (6 children)
Software itself is becoming more bloated (more code to have bugs) and less understood. The kinds of apps that get glued together (it's hard to call something that is 90% external library code "written") today are massive compared to what we wrote 25 years ago, and even the system itself is becoming more complicated because everything needs to be talking to a web server somewhere. And it all needs to be done in half the time because somewhere along the line sales realized they never had to ship "finished" software, they could just ship updates to it until people stopped caring.
We need to teach non-software people to understand that quality software takes far more time than the junk food equivalent they are used to consuming or this is what you'll get. Can you eat potato chips for every meal? Yes. It's pretty fast to grab a bag and chow down, and it'll fill you up. But it's unhealthy, and sooner or later that's going to catch up with you. We're just witnessing that in software.
(Score: 2) by DannyB on Thursday February 28 2019, @05:59PM (5 children)
Is it bloat? Or is it complex features?
Which is more bloated? Notepad or Word?
Which has more features? Notepad or Word?
These features creep in and people like and accept them. Before long your super simple text editor highlights misspelled words.
I remember in 1984 when Apple introduced the Macintosh. Many PC magazines were horrified at the memory and cpu power required to run a GUI. I hadn't seen so much whining and complaining since Nixon resigned. Now here we are today all using GUIs. (Unless you browse SN using a text mode browser.)
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Thursday February 28 2019, @07:58PM (2 children)
"Hello World" in Rust clocks in at 2MB. A huge attack surface. In my dictionary if Hello World goes over a few hundred bytes as a compiled executable, it is bloatware.
Today much of the programming is glueing together large pre-made components or painting on top of a framework. The devs know the API, but have little to no information on the (often proprietary) base system - and that is where all the complexity and potential for bugs lives. Often these "higher" "safe" languages compile down to C or their runtimes were written in C, making them only as "safe" as the skills of the implementer.
(Score: 0) by Anonymous Coward on Thursday February 28 2019, @08:00PM
But Rust is the safest, most perfect, and most loved programming language.
(Score: 2) by DannyB on Thursday February 28 2019, @09:29PM
I had no idea. I don't use Rust.
Any idea why? Does it statically link a lot of unneeded library into the executable?
I don't know what a "Hello World" in Java clocks in at, disk space wise. But I know that the new ZGC or Red Hat's new Shenandoah GC can handle Terabytes of heap, yes really, with 10 ms pause times -- so the Hello World should run efficiently!
The lower I set my standards the more accomplishments I have.
(Score: 1, Insightful) by Anonymous Coward on Thursday February 28 2019, @08:02PM (1 child)
It is bloat.
Which is tastier, an apple or an orange?
Your comparison is poor. The examples serve significantly different needs. Try something like "which is more bloated, Word 95 or Word 2019?" or "which is more bloated, Windows 7 or Windows 10?" or "which is more bloated, OS X 10.6 or OS X 10.14?"
(Score: 2) by DannyB on Thursday February 28 2019, @09:33PM
My comparison is meant to address that sometimes when people complain about bloat they might be wanting the "Notepad" solution and think that nobody else would be served by the significantly different "Word" solution. Because what they need is what everyone else needs.
Or to put it in concrete terms, if Java didn't serve a real need, it wouldn't be the number one language for years in a row on multiple programming language indexes. Somebody out there must be finding it useful and economical.
The lower I set my standards the more accomplishments I have.