The point I'm making is that people have to create defects in the first place. Contrary to some claims on these threads, most code does have a finite amount of exploitable defects.
Ah right, got you now. I was referring to the scalability issue.
Of course the great thing about code defects is that updates are just as good at introducing new bugs if the developers don't have proper security processes in the first place.
The large strategic moves major vendors like Microsoft, Adobe, Google, and especially Apple with the IOS platform seem to be doing a good job of killing whole subclasses of vulnerabilities, and of driving up the cost of exploitation (above and beyond flaw discovery).
Your point about software maintenance introducing a continuous stream of new flaws is well taken, but ultimately I think vendors who take this problem seriously are in a very good position to do something about it.
You're right. The bigger boys are in various stages of getting it together, it's the ones that don't seem to have immediate column-inch impact (Oracle, SAP etc.) that aren't quite there yet, and then you've got everyone else who lack the resources or interest to pull it off.
An again economics is firmly in our corner here, since the effort to build exploits for exotic targets isn't that much less than the effort to target e.g. Android... but the incentive to build those exploits is far lower.
> Exploits do not come out of nowhere. They can't be scaled with demand.
Why not? All large software projects have flaws. Doesn't more demand for exploits mean more people are going to look for and find them?
> The fundamental moral problem with the market isn't the value being imputed to exploits; it's the lack of value imputed to resilient software.
I think it's both. People shouldn't be selling exploits to entities that will use them offensively. And vendors largely don't care about security as much as they should.
More demand does cause more people to look for exploits. But since there's a finite number of vulnerabilities to be extracted from code, I'm not sure how that's relevant.
The fundamental moral problem with the market isn't the value being imputed to exploits; it's the lack of value imputed to resilient software.