Abner Stories

Patching Is For The Birds

A story on Wired claims that finding holes in software is a waste of time since as far as we can tell most vulnerabilities are rarely exploited.

As I wrote in the paper The Injustice of Insecure Software, the penetrate and patch mentality of the software industry is inherently flawed. It does not work today and can not scale to meet the demands of software that plays an ever increasing role in the safety and health of daily lives.

The audacity of the current system is not that the majority of vulnerabilities do not turn into flaming exploits like Code Red and Nimda, but that most software vendors do not examine the unintended functionality of the software they write. Quality assurance groups are so focused on making sure software does what it is supposed to do that they rarely spend time examining unintended functionality.[1]

As software becomes an integral part of the way things work in both the virtual and physical world, software customers can not continue to accept software riddled with security vulnerabilities. Just as a development team designs for performance, reliability, ease of use, and quality they must also design for security. By designing for security you get the value of quality and the ability to sell to the likes of GE and Sprint. You also get to avoid the costly and negative investment in patching the holes your customers find in your software.

For a view into some of the latest vulnerabilities that influence our life in the physical world, check out this article on traffic control software in the latest issue of Phrack.

1. H.H. Thompson & J.A. Whittaker.Testing For Software Security - Rethinking Security Bugs, Dr. Dobbs, November 2002