Richard Feynman describes this 'form' as the cargo cult, put into a software engineering context here. In the security context the cult of good security exhibits:
- Full Disclosure
- Open Source Audit
- Built in Cryptography
- Active Patching
The OpenBSD model of "proactive" auditing of software and "security by default" distributions, leads to good security. The fact that they have all the exhibited form is incidental. The OpenBSD patch mechanism is very basic, because there are not that many security holes to patch, most potential exploits were designed out from an early stage.
I suppose when you have a 'runaway train' of security issues then you would need a 256Mb brake. I hope it works.
1 comment:
Microsoft publish this research document from Forrester.
I cannot argue with the details of the research. But I question the types of disclosure used in the study of the number of days of vulnerability. Open source, has open issues and therefore open disclosure - and so responsible disclosure with open source libraries is hard to do. Most serious Windows flaws, discovered under white hat conditions, are responsibly disclosed and there is typically some 60 days before public disclosure is made.
You can see how long it takes from the day to disclosure to the day of a distribution fix but subtracting the distro from the all days figure. For Windows this comes out a 0, i.e. responsible disclosure must be in operation, and for RedHat 10 days, i.e. public disclosure (or slow). This also brings into question to total number. If Windows disclosure is based mostly on responsible disclosure then how many fixes are still being worked on?
Post a Comment