Agreed that secure low level without application security doesn’t get you there, which is why I said we need a full stack—and even if it wasn’t part of this, redeveloping network infrastructure to be done well and securely seems like a very useful investment.
But doing all the normal stuff well on top of systems that still have insecure chips, BIOS, and kernel just means that the exploits move to lower levels—even if there are fewer, the differences between 90% secure and 100% secure is far more important than moving from 50% to 90%. So we need the full stack.
Agreed that secure low level without application security doesn’t get you there, which is why I said we need a full stack—and even if it wasn’t part of this, redeveloping network infrastructure to be done well and securely seems like a very useful investment.
But doing all the normal stuff well on top of systems that still have insecure chips, BIOS, and kernel just means that the exploits move to lower levels—even if there are fewer, the differences between 90% secure and 100% secure is far more important than moving from 50% to 90%. So we need the full stack.