I have no idea what assessment you are even referencing. The only assessments you made as far as I can tell were:
1) The post was made to vilify independent security research.
2) The post argues against "the entire modern science of software security".
3) The norms of 1997 are worse than the norms of 2025 and that my support for the argument that "Penetrate and Patch" is a poor security policy is somehow indicative that I prefer the norms of 1997 even though "Penetrate and Patch" was and continues to be the prevailing norm.
To which I argue:
1) Maybe so. However, the arguments against most of the stated practices, in particular everything except idea #4, stand on their own and have stood the test of time.
2) Given the contents of the rest of that post, this is almost surely a statement that idea #4 was wrong which I have agreed was incorrect. I also, separately, argue that "the entire modern science of software security" is basically useless at producing systems secure against common prevailing threat actors as is demonstrated daily. This is distinct from the high level of capability in producing systems and processes that can identify and exploit vulnerabilitys which is a clear win for the "the entire modern science of software security". However, such capability is not very helpful in achieving the former which is the thing usually desired from "security".
3) I am just baffled. I have to assume that you just misread my position. Otherwise you are arguing that the systems of 1997 were default deny, explicit whitelists, engineered for security from the start, and operate in a secure configuration by default. Or that the security processes of 2025 are that way. Both of which are laughable. I guess you could also argue that those principles are bad, but I am pretty sure even the sorry state of affairs that passes for "software security" these days recognizes those are correct principles even if they utterly fail to even attempt them.
1) The post was made to vilify independent security research.
2) The post argues against "the entire modern science of software security".
3) The norms of 1997 are worse than the norms of 2025 and that my support for the argument that "Penetrate and Patch" is a poor security policy is somehow indicative that I prefer the norms of 1997 even though "Penetrate and Patch" was and continues to be the prevailing norm.
To which I argue:
1) Maybe so. However, the arguments against most of the stated practices, in particular everything except idea #4, stand on their own and have stood the test of time.
2) Given the contents of the rest of that post, this is almost surely a statement that idea #4 was wrong which I have agreed was incorrect. I also, separately, argue that "the entire modern science of software security" is basically useless at producing systems secure against common prevailing threat actors as is demonstrated daily. This is distinct from the high level of capability in producing systems and processes that can identify and exploit vulnerabilitys which is a clear win for the "the entire modern science of software security". However, such capability is not very helpful in achieving the former which is the thing usually desired from "security".
3) I am just baffled. I have to assume that you just misread my position. Otherwise you are arguing that the systems of 1997 were default deny, explicit whitelists, engineered for security from the start, and operate in a secure configuration by default. Or that the security processes of 2025 are that way. Both of which are laughable. I guess you could also argue that those principles are bad, but I am pretty sure even the sorry state of affairs that passes for "software security" these days recognizes those are correct principles even if they utterly fail to even attempt them.