Slashdot Mirror
Is Finding Security Holes a Good Idea?
ekr writes "A lot of effort goes into finding vulnerabilities in
software, but there's no real evidence that it actually improves security. I've been trying to study this problem and the results (pdf) aren't very encouraging. It doesn't look like we're making much of a dent in the overall number of vulnerabilities in the software we use. The paper was presented at the Workshop on Economics and Information Security 2004 and the slides can be found here (pdf)."
Is finding security holes a good idea?
Writing Security Considerations Sections
Hmmm.
He describes that if automated installation of patches were widely deployed then the benefits to discovery would increase.
Assuming the patches don't break something else by mistake.
The last time I did an update on my laptop (via MS update) and rebooted, I landed in a BSOD. I had to disable my wireless card, get new drivers, and re-install it before I could get the machine to boot normally again.
If the update had happened automatically, and I was not in a position to get the new device drivers like on the road, or at a customer's site), I would have been SOL.
While automatic updates may sometimes make sense for security, they aren't the best solution.
---
"I can't complain, but sometimes still do..." Joe Walsh
if the patch breaks an application and the machine goes unpatched there is a loss in security because of potential intrusion. If the patch is applied there is a potential loss of productivity.
Not all patches are security patches. Many patches fix problems, such as the spell check function doesn't work correctly. Or some other function doesn't work correctly. These won't compromise security, but they may interfere with other programs.
In theory, you are right. In practice, I've been using apt-get for several years and never got in the situation you mention when patching with "stable" releases. Can't say anything about Microsoft patches, though. Never touch that stuff.
Crackers will dissect your patches to create exploits, but you'll at least have protection available when the exploits go wild. If they don't find vulnerabilities from the patches, they'll just spend more time trying to find them manually, and the more you leave unpatched, the better the odds they have of finding one. Your customers who care about security the most will install the patches on time, and get pissed if a cracker exploits something before you've patched it.
But it's even better to find them before the product ships, and design early on to avoid the common ones. I believe the author of qmail is still offering thousands of dollars to the first person who finds even a single vulnerability.
Finding problems which can be disclosed at the same time as a patch is very good.
All the major Linux distributors will release updates in a timely manner, and enable people to install them with minimum effort - much like Microsoft does. The only difference with Microsoft's patches is they can, rarely, break things. I've never seen this happen with a Linux update.
Personally I've never heard anybody say anything bad about the pro-active way which the OpenBSD team audit their codebase and this is one of the reasons why I started the Debian Security Audit.
Having a dedicated team of people auditing code, combined with the ability to release updates in a timely manner is definately a good thing.
(The results of my work show that even with only a small amount of effort security can be increased)
Did I mention that I'm available for hiring? ;)
Really. I didn't make that up, check the link! Who is this guy, and why is he giving me software security advice?!
Member of the IAB. Co-chair of the TLS working group.