Root Cause: HAIRBALL Systems Design
Too many people in Software Engineering still think they need the latest and greatest third-party library in their projects. Nah - a dozen of them !
So they have
+ TLS mumbo-jumbo, so complex nodboy gets it right (non exploitable bugs) for a decade.
- OpenSSL with 400k Lines of Code and probably 10000 exploitable bugs. Nobody bothered to find them for a decade
- Apache Struts with 280k Lines of Code and lots of exploitable bugs. Also, decade-old exploitable stuff in there.
- Linux kernel with 11 million lines of Code and exploitable bugs in things like gethostbyname()
So, what to do ?
I suggest to radically rethink what we do and go for much leaner and easy-to-understand/easy-to-analyze systems. E.g.
+seL4 OS(https://github.com/seL4/seL4) with just 40k lines of code ! Attempted correctness proof.
+MST crypto library(https://github.com/DiplIngFrankGerlach/MST) with less than 1k lines of code at the core
+ INRIA CompCert C compiler(http://compcert.inria.fr/download.html) - 90k lines of code and correctness proven.
And if that is "too technical" for the manager types, they should better educate themselves on the subject.