@dymaxion threat models still apply to all of these things; they're literally what you use to determine where you spend the limited time you can spend on security (whether that's training coders, auditing code, choosing what to harden, etc etc)
folks can lecture for days about how parser bugs creating weird machines is a serious threat, but if the parser is parsing some saved configuration flash on my digital stylus, chances are the worst that could come of any attack is a bricked stylus.
if you've spent your limited time and energy making sure that's ultra-audited because it's a parser, you're taking time away from things like "realizing that the auth token included in the GET requests for the firmware updater actually also has permissions to fetch and overwrite other products' files"
=> More informations about this toot | View the thread | More toots from ktemkin@provably.online
=> View dymaxion@infosec.exchange profile
text/geminiThis content has been proxied by September (3851b).