Slashdot Mirror
A Developers Security Bugs Primer
CowboyRobot writes "ACM Queue's current issue on Open Source Security includes a short article by Eric Allman of Sendmail on how to handle security bugs in your code.
"Patch with full disclosure. Particularly popular in the open source world (where releasing a patch is tantamount to full disclosure anyway), this involves opening the kimono and exposing everything, including a detailed description of the problem and how the exploit works... Generally speaking, it is easier to find bugs in open source code, and hence the pressure to release quickly may be higher.""
Check with local law enforcement first, as this is illegal in most prefectures.
Something I have noticed with the development team at my current place of work (I'm not on the team thankfully) is that they tend to do jobs in the order they were received... it make's the KPI's look damn good (all jobs are knocked over within x time frame) when in reality they should be setting a priority on each of these jobs.
We recently (1 month ago) had a form in an easily accessible place vulnerable to SQL Injection due to a failure to validate ANY of the data passed to it. This job was only just patched this past week (and all updates have been run). This time frame, as far as I am concerned, is entirely unacceptable for a job that was so easy to fix yet so dangerous to our business.
On disclosure: Add it to the release notes. If you roll out a patch for one problem, then the problem will be described in the release notes. If the release is internal then the problem will (SHOULD) also be documented in the testing plan and proceedure.
My $0.02.
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
This is an extremely narrowly focused article. He doesn't account for anyone else's choice of apparel, and Netcraft has recently confirmed that Kimonos are dying anyway. There can't be that many users of such an outdated technology.
Next time take into consideration those who choose to wear sweatpants, moo-moos, and the increasingly popular among furries peanut butter suit + placard.
Getting advice on how to handle security bugs in your software from someone who works on Sendmail is like getting advice on dealing with relationship problems from someone who was divorced seven times. I mean, sure, he's got experience...
...which I don't really think now occur in sendmail at a higher rate than some other infrastructure bloatware. People are sometimes very slow to upgrade from very old versions, when problems were more common. For whatever reason (I lean toward complexity of administration), I see this a lot more often with mail systems than other infrastructure plumbing.
But here's a bit of irony: the ACMQueue article would seem to indicate that Allman believes in transparency. OK, the sendmail security page lives at:
http://www.sendmail.com/security/
But you have to know that, find it via Google, or just guess. When the page loads, you'll find a pagetop navigation bug at the Resources secion. But pull open the Resources section, and you find no link to it. Nor will you see it from the site map.
My overall take is that if you already know the ins and outs of sendmail admin (and other bits that it may be talking to, such as LDAP) you're running software which carries no greater than mainstream risk.
That said--this is complex software, and complexity is the enemy of security. If you're planning a new installation (particularly a small installation), and don't need all of sendmail's features, you should consider possible alternatives offerred by your Unix/Linux vendor.
What you do with a computer does not constitute the whole of computing.
What about the B developers? Do they not get a security bugs primer?