Saturday, March 29, 2008


Why Bex Huff is wrong about security...

I figured I would throw daggers at Bex Huff and his recent posting...

Bex, I bet you would be even more shocked to see how much it costs an enterprise to apply all those patches. Have you thought about patch management from a financial perspective? Let's say that a large enterprise has 500 IT software vendor relationships and each vendor iterates until they actually write their software securely. How many employees would it take just to understand the impact if this velocity were to increase?

Can we acknowledge that the patch existed because the base software wasn't written with security in mind in the first place? Can we also acknowledge that the reason for the patch probably wasn't because the software vendor wasn't being proactive in terms of finding security defects and instead relied on the outside world and their customers to find them? Bex, I wonder if you were to take older Oracle code and run them through a static analysis tool such as those provided by Ounce Labs, Coverity and others, would the patch needed to be created later or could it have been discovered earlier in the product lifecycle?

At some level, I agree. I guess customers configure things improperly because the software allows them too! Maybe, software vendors should choose configuration options where it is secure by default vs expecting customers to configure it securely? Can we at least acknowledge that for many products, us stupid customers tend to either configure things through wizards and/or take the defaults?

We are in full agreement here but there are some challenges. First, I have no idea what are the best practices practical considerations around writing software to make patching easier. Do you think others in the blogosphere would be willing to dedicate a couple of blog postings to help figure this out?

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?