undefined

That is actually unfair. Most companys spend enormous amounts on security with vast armys of security employees. Not that it is effective, but it is not for lack of resources or trying.

I mean we are literally in a thread about how the 4 trillion dollar company, literally the 3rd most valuable company in the world, with a core competency in software has, yet again, released a core product riddled with security defects for the 50th year in a row.

Commercial IT security is a industry that is incapable to a fault and has, so far, faced basically zero consequences for it.

by marysol519 minutes ago|

parent|

[-]

Hey now, when Apple products get a serious Kernel level vulnerability that is able to be executed just by browsing a website. It's a "jailbreak" not an "exploit".

Exploits are BAD!

by gorbachev1 hours ago|

parent|

prev|

[-]

For every Apple, there are 100 mom-and-pop companies who have nothing.

Even more so in the future when a software company can be launched by a farm of AI Agents with a founder at helm with no clue about computing or security.

What's debateable is how many of those companies actually need irontight security, because they are never realistically going to be targets of criminals and/or they have nothing valuable to steal/corrupt in the first place (other than the owner's pride).

by concinds3 hours ago|

parent|

prev|

[-]

> Most companys spend enormous amounts on security with vast armys of security employees

This is true in America in many industries now, but most of the rest of the world (even the rest of the OECD) is still far behind.

by saagarjha3 hours ago|

parent|

prev|

[-]

Maybe they should've been as productive as the guys down in Santa Barbara.

by 10 hours ago|

parent|

prev|

[-]

deleted

by aiisjustanif9 hours ago|

parent|

prev|

[-]

While maybe true, it is better to back that up with data and the data I know of and read yearly is mostly not great. Between Splunk and SANS surveys of 2025 maybe ~2000 companies have a SOC. [1] [2]

Then you have the many companies in the UK, US, Canada, EU that have compliance and regulatory laws that require them to exist in some capacity in house. Though that is changing with MDR services, but someone still has to interface with the MDR.

[1]: https://www.elastic.co/pdf/sans-soc-survey-2025.pdf [2]: https://github.com/jacobdjwilson/awesome-annual-security-rep...

by marysol518 minutes ago|

parent|

[-]

Does the report talk about how many are /actual/ "SOC"'s, rather than some outsourced SIEM service. Or one guy who gets a daily report...

by dgellow14 hours ago|

prev|

[-]

Not at all. I’m considering that the amount of vulnerable software in the wild is very, very large, with most organizations not managing their systems properly. Imagine all the small to medium size companies that do not have budgets for a dedicated, talented security team. And all the software that will never be patched. We are at the beginning of the exponential

by saghm6 hours ago|

parent|

[-]

> I’m considering that the amount of vulnerable software in the wild is very, very large

I'd imagine this set is very similar to just "the set of software on the world". Even before the AI stuff, it was a pretty good bet at any given software had some vulnerability; it was just a question of how easy to was to find it.

by dgellow2 hours ago|

parent|

[-]

Yes, that’s my point. Look at how fast the Calif team tackled that macOS issue. Against the top company in the world. One week from bug to exploit. In 2-5 years things will be really wild for everybody out there. We released a technology that make it possible to design extremely complex exploits at a scale we never had to face before. What does that mean if you’re not the top company? Things will be really bad

by bottlepalm11 hours ago|

parent|

prev|

[-]

It makes you think will everything need to be rewritten from the ground up - potentially by AI itself, or AI having a very heavy hand in validating all of it.

by Gigachad11 hours ago|

parent|

[-]

There's so much much lower hanging fruit. Every job I've had has had basically everything massively out of date. Just keeping packages and framework versions up to date is a full time job and none of these companies have someone assigned to doing it.

So much out of date software with known exploits left running for years. The only reason there hasn't been total disaster is no one has tried to hack it yet.

by bottlepalm10 hours ago|

parent|

[-]

Right and with AI now we have the ability to try hacking everything all at once.

by dgellow2 hours ago|

parent|

[-]

Yes, exactly, that’s the main change. And not just in a script kiddy way. What we see now is LLM + experts can develop extremely complex exploit chains in no time. It’s one thing to exploit a known vulnerability that you can patch by upgrading your Wordpress, it’s something else when the attacker is able to completely take over your systems in ways you didn’t even consider was possible and adapt in 1 day to your attempts at patching

by Gigachad25 minutes ago|

parent|

[-]

For now, after the dust settles all of the low hanging fruit will have been patched and we will have hurried up the move to safer languages.

The root problem is the world runs on C code that is riddled with vulnerabilities.