As per the advice on pg 26 the researcher recommends restricting access to compilers/debuggers and interpreters that can assist an attacker in reversing/probing vulnerable binaries . Lets see which ones ship in Debian and see if we can do without them (I assume attacker doesn’t have sufficient privileges to re-install and if they do then it’s game over anyhow). Meanwhile apparmor can restrict access to interpreters on a need to work basis.
Related ticket: