We’ve all seen buggy computer software: sometimes it’s a menu item that doesn’t work as expected, sometimes it’s a broken links, and sometimes it is a security vulnerability. Fortunately, there are far fewer of the latter than the former. Researchers and software designers have been working diligently to help ensure that software has fewer security vulnerabilities than ever. As a user and a security professional I am very glad.
However, there are still security issues in software. Some are due to poor design, some are due to poor implementation, and some are due to broken tools. For this discussion, the cause isn’t as important as the finding of the vulnerability.
Researchers look at code, look at behavior and use other methods to find security vulnerabilities in code. It is hard and time-consuming work. If there were some sort of magic bullet software that would find all the vulnerabilities in software, we’d have found all of them some time ago. Larger software packages are very complex systems. Modeling those systems is difficult and sometimes discerning correct vs. incorrect behavior is difficult.
There are multiple groups working on finding software vulnerabilities before the bad guys find and exploit them. One of these is Google’s Project Zero. They look for vulnerabilities and when they find them, they notify the software creators of the issue and give them ninety days to fix it before they disclose it to the public. Other researchers have similar policies with fix deadlines from 14 to 90 days. This is a good approach. If they released the info to the public immediately, the bad guys could potentially exploit the bug before it could be fixed.
Unfortunately for users, some software takes longer to fix and test than the window researchers allow. That means the vulnerabilities may be announced to the public before the vendors get a chance to fix them. Project Zero recently caught some flack for disclosing some Microsoft vulnerabilities before the software could be patched. After Microsoft’s complaints Project Zero changed its disclosure policies and they are described in the Project Zero Blog.
It can be hard to balance disclosure and confidentiality: people need to know their software is vulnerable, yet early disclosure might help the bad guys exploit the vulnerabilities. We discuss the issues in Learning Tree’s System and Network Security Introduction. There are multiple viewpoints, but most agree that the vendors need time to fix bugs before they are disclosed. I hope to see you that course soon.
On a more personal note, I’d like to tell you a little more about my presentation at ATD’s annual #ATD2015 convention in Orlando in May. I’ll be talking about technical training, specifically about techniques instructors use to help learners think about the topics they’re learning. It turns out that when people think about what they’re learning, engagement and retention are increased. The focus of my presentation is how to deploy those techniques. If you or someone at your organization is coming, please ask them to look me up – I’d love to meet you or them there.
To your safe computing,