[ Thanks to James Maguire for this link. ]
Zatko explained that DARPA keeps a watchlist of
software deployed in the Government that needs patching or security
fixes. As a source of irony and frustration, Zatko said that on a
recent list, six out of 17 vulnerabilities that DARPA was tracking
for fixes were for vulnerabilities in security software. So the
software that is supposed to be securing the government is in some
cases vulnerable and still unpatched.The other issue that Zatko is worried about is the fact that
modern software is built in multiple layers, which end up
increasing the attack surface.