70% of security vulnerabilities in code are memory safety issues. However the vast majority of in then wild attacks were not against security vulnerabilities but against people. No technology can protect you from someone giving out the secret keys to the attacker.
just false, if you look at most of the ransomware cases for example. This whole fixation of "human layer security" has done more harm to cybersecurity than many actually malicious things. Wasting your money and resources on training Karen from HR to spot 20% more phishing emails yields exactly the results you'd think it does.
I hope we can get out of that nonsense and tackle cyber issues with actual technological investments as it should and can be done.
The only part of what you said that disagrees with me is the words "just false". I don't know how to ensure "Karen from HR" doesn't fall for those things, but training is clearly not enough (or at least current training, I'm not hopeful for future efforts but...). Either way, since the attack wasn't against something a programing language can protect against no amount of fixing programming languages will help.
We need come up with answers that work despite humans not being perfect. This is a hard problem. (what gets hard is sometimes someone will lose/forget a key and so you need to issue a replacement but only to the correct person)
The technology solution here is not allowing Karen from HR to have a password at all and instead using something like Yubikey + FIDO, which can't be phished.
Which is great until someone who might or might not really be "Karen from HR" says they lost their Yubikey and needs a new one. This workflow must exist, but it is generally easy for an attacker to get authenticated by that system.
