One again - Patchanga! | latest-security-news | GSO

Exploits:

News

One again - Patchanga!

font size: decrease font size increase font size
Rate this article
View Comments
Related content

Another record breaking security patch released by Microsoft this week. The patch covering 34 vulnerabilities in a variety of Microsoft products is the largest of its kind (so far), breaking the previous record set just a couple of months ago (June). This is giving us an excellent perspective about the inherent limitations of SDLC as the first and last line of defense when it comes to information security. Microsoft has been investing more than any other software company in SDLC ...

Another record breaking security patch released by Microsoft this week. The patch covering 34 vulnerabilities in a variety of Microsoft products is the largest of its kind (so far), breaking the previous record set just a couple of months ago (June).

This is giving us an excellent perspective about the inherent limitations of SDLC as the first and last line of defense when it comes to information security. Microsoft has been investing more than any other software company in SDLC and secure coding within their products in recent years. They went a great deal to improve coding practices as well as incorporate different types of security tests during the software development process. Yet in the past year number of vulnerabilities is on the rise.

IMHO Microsoft has just reached the inherent limits of (real world) software debugging processes. The law of big numbers, applied to lines of code, gives us a non-zero prediction as to the number of software flaws per 1000 LOC (or 10K LOC or whatever unit you choose). There is in fact a mathematical postulate that shows that guarantying the correctness of a general computer program is a non-decisive problem (it cannot be solved in a finite time). In fact there is a point in time in which any increase in QA resources (and time) has a negligible effect over software quality. Nowadays, even the simplest of applications is comprised (either directly or indirectly) of a very large number of LOCs (check out the images size of a "Hello World" application). We can rest assured that any software out there has either known or unknown flaws in it. Using the law of big numbers again one can safely assume that some of these flaws affect information security. This happens, regardless of the effort and resources put into the software production process.

So should we give up on SDLC altogether? Definitively not. Prudent use of SDLC can dramatically improve the quality of software, and the security of the information its processing, to the point where flaws are not interfering with common usage of the software and vulnerabilities are not abounding. However, we should also understand that:

a. we cannot rely on SDLC as the sole line of defense for security purposes and

b. there might be solutions that are most cost and time effective in terms of mitigating security related flaws in applications.

In particular, I believe that investing resources in a web application firewall is much more effective than putting those resources into SDLC. Two main reasons for that, a. we are talking about substantially less money to begin with, and over the years, b. as discussed earlier, eventually you will need a web application firewall to mitigate those vulnerabilities that were not detected during the software production process.

- Amichai

Read Full Article

Written on Wednesday, 14 October 2009 04:37 by GSO

Viewed 41 times so far.
Like this? Tweet it to your followers!

Published in Subscribe to the RSS feed of Network Security & Hacking News Network Security & Hacking News / Subscribe to the RSS feed of Latest Security News Latest Security News

Like this? Let your friends know now!

Rate this article

Latest articles from GSO

Bugtraq: Re: /proc filesystem allows bypassing directory permissions on Linux posted on Monday, 29 November 1999 16:00
Re: /proc filesystem allows bypassing directory permissions on Linux
Vuln: IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability posted on Monday, 26 October 2009 12:00
IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability
Bugtraq: Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow. posted on Monday, 29 November 1999 16:00
Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow.
Bugtraq: Rising Multiple Products Local Privilege Escalation Vulnerability posted on Monday, 29 November 1999 16:00
Rising Multiple Products Local Privilege Escalation Vulnerability
Bugtraq: {PRL} Rising Firewall 2009 Privilege Escalation posted on Monday, 29 November 1999 16:00
{PRL} Rising Firewall 2009 Privilege Escalation

Latest 'tweets' from GovernmentSecurity

News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38

blog comments powered by Disqus

back to top