Still, the Pwnie Awards bring some retrospective and, yes, humor to a field that sometimes seems to be nothing but a vale of tears. And so with no further ado, this year's bleeding turkeys, hung on display for your amusement and edification:
Best Server-Side Bug: (Surprise, surprise) Heartbleed, credited to Neel Mehta and Codenomicon. Heartbleed is perhaps the most famous security trouble of the year, which brought more attention to the many drawbacks of SSL. Although Mehta and Codenomicon were lauded for their work in solving the problem, the open-source community was nominated for the Pwnie for "Most Epic Fail," being that the flaw existed for two years.I actually think that this deserves a better award than this - Heartbleed is probably the worst security bug I've ever seen, and I've seen literally thousands of them over twenty years or so. Epic, epic, epic fail (Pwnie Awards fail?).
Lamest Vendor Response: AVG, saying that a software weakness was "by design" and therefore not a vulnerability. This offense even beat out another nominee: "Daniel" from Open Cert who replied to a researcher's request for the appropriate email address for vulnerability disclosures, with "it was not ignored dick head why lie! are you a professional or not? professionals don't need to lie to prove a point they use facts!"Heh. I'm going a bit out on a limb here, but it seems like calling someone a "dick head" who's reporting a security bug in your product is the express lane to Internet fame. Just a guess, though. But mad props to the AVG support team for bringing the definitive "arrogant junior engineer" dismissivness. Yeah, we meant to do that stupid thing you're talking about. Totally. Amirite?
Others at the link. And there's this song, too, which is totally how Security rolls, yo.
They in the dark 'cos they got no intrusion detection ...