December 31, 2002

Patching Is For The Birds

A story on Wired claims that finding holes in software is a waste of time since as far as we can tell most vulnerabilities are rarely exploited.

As I wrote in the paper The Injustice of Insecure Software, the penetrate and patch mentality of the software industry is inherently flawed. It does not work today and can not scale to meet the demands of software that plays an ever increasing role in the safety and health of daily lives.

The audacity of the current system is not that the majority of vulnerabilities do not turn into flaming exploits like Code Red and Nimda, but that most software vendors do not examine the unintended functionality of the software they write. Quality assurance groups are so focused on making sure software does what it is supposed to do that they rarely spend time examining unintended functionality.[1]

As software becomes an integral part of the way things work in both the virtual and physical world, software customers can not continue to accept software riddled with security vulnerabilities. Just as a development team designs for performance, reliability, ease of use, and quality they must also design for security. By designing for security you get the value of quality and the ability to sell to the likes of GE and Sprint. You also get to avoid the costly and negative investment in patching the holes your customers find in your software.

For a view into some of the latest vulnerabilities that influence our life in the physical world, check out this article on traffic control software in the latest issue of Phrack.

1. H.H. Thompson & J.A. Whittaker.Testing For Software Security - Rethinking Security Bugs, Dr. Dobbs, November 2002

Posted by Abner on December 31, 2002 11:54 AM | TrackBack
Comments ARE BROKEN Send email instead - Thanks!

Recent Entries
iPhone's SIM Locks: Hardware vs. Software vs. Lawyers
Even (or especially) contests could use a security review
Vendors Responses: Voting Machines and the Pwnie Awards
Dude "Security Rocks"
iPhone Wi-Fi Vulnerability
Harry Potter Security
iPhone Hacking & Fustrations
Let the iPhone Hacking Begin
Geer heads to Washington, Again
This Just In: DRM still doesn't work
Phishing meets Internet Advertising
How long to unlock the iPhone Operating System?
Predictive Markets For Politics
The Irony of Phone Security Google Ads
Why Biometric Fingerprint Readers Are A Waste
How to Blag an Interview
Yet another Boston marketing flub
MAC vs. Vista Security
The latest in physical security
Data Loss Archive
Guerrilla Marketing Backfires in Boston
NY Times on the "Market" For Software Vulnerabilities
Not marketing security, marketing *during* security