Thinking of Security Vulnerabilities As Defects 158
SecureThroughObscure writes "ZDNet Zero-Day blogger Nate McFeters has asked the question, 'Should vulnerabilities be treated as defects?' McFeters claims that if vulnerabilities were treated as product defects, companies would have an effective way of forcing developers and business units to focus on security issue. McFeters suggests providing bonuses for good developers, and taking away from bonuses for those that can't keep up. It's an interesting approach that if used, might force companies to take a stronger stance on security related issues."
Re:Of course vulnerabilities are defects (Score:5, Informative)
but then what do you call design features like windows networking telling you if you got the first letter of your password right, even without the rest of the password, and then letting you do that for the next letter, and so on and so on.
it was a feature of early windows networking, to do just that! like people might 'forget' their password, so they would 'need' a feature that would tell them letter by letter, if they were getting warmer on remembering the password! hackers had a FIELD day with various 'features' of Microsoft products.
Edward Deming would disagree (Score:5, Informative)
When I think of defects and total quality management, I think of Edward Demings [wikipedia.org].
Edward Demings saw the problem of defects as a systems issue, not an individual performance issue. And his theory was that paying someone based on performance would have the unintended consequence of increasing the number of defects, not decrease them (Here is the list of Deming's 14 principles with my emphasis added in bold).
Re:No. They'd get sued (Score:5, Informative)
The article (at least in my reading) isn't saying that they should be held legally accountable as selling a defective product. Instead it's about how companies should approach a bug report of a vulnerability. He's saying, when someone reports a vulnerability, consider it something that you're obligated to fix, not as a feature request.
But then, I think most people do. It seems like he hit a bad support person.
I ran into a similar problem once with Citrix, actually. Their software was relying on some library that it assumed was installed, even though recent Linux releases (at the time) had stopped using that library. The result was that the software didn't work until you tracked down that library, dropped it in the right place, and then it worked fine.
So I went to their website to give feedback, just to let them know. I mean, I'm sure they would have figured it out, but I thought, "may as well give them a heads up" because it was happening on major linux distros almost a year after their release. Citrix had released several updates to their software, and never fixed this problem. I couldn't find anyplace on their website to provide feedback, except for a form to give feedback about the website itself.
So I wrote up a little feedback, trying to explain the situation briefly (i.e. "I wanted to drop some feedback to your development team letting them know there's a problem, how to fix it, but I can't find any contact information on your website. Is there any way to submit this sort of feedback). The response came back quickly, "If you want support, you'll have to pay for a support contract."
I wrote back again, trying to explain, "No, see, I'm not looking for help, I'm trying to be helpful. I'm letting you know that there's a problem I already know how to fix. I was just wondering if there was a place to submit this sort of feedback."
Again, the response came in, "I'm sorry sir, but if you want us to help you with this problem, you'll need to buy our support contract."
At that point, I gave up.
Re:Of course vulnerabilities are defects (Score:3, Informative)
keep in mind the original RFC for SMB file sharing had nothing about encrypting the password, networks were new, the internet non existent, we're talking 1979 or earlier here... the original windows SMB filesharing was over netbios, not even over tcp/ip (because windows had no tcp/ip stack) so having SMB tell you each letter of the password was individually correct was more along the lines of 'routers' coming with the default password of 'admin' before they're configured or if they're manually reset...
it seems too boneheaded to be true, but SMB was started early in the windows 3 days, when 640k was still enough for most people.
Re:Of course vulnerabilities are defects (Score:3, Informative)
The reality is that CHMOD is a basic form of DRM.
I must say, my keyboard would be absolutely soaked if I was drinking something right now. My maildirs and private keys? Not yours and I'm not setting public read. httpd.conf? Sure, I'll set public read and owner write so you can look at it and even copy it for non-disruptive editing for whatever reasons. It's also worth noting that a lot of 'users' don't even have people behind them on a typical home system.
It would be DRM if RO access meant you couldn't edit the copy. Moreover, all current incarnations of DRM would try to get in the way of copying files in the first place (usually by having the file behave differently on other systems). DRM is for enforcing artificial scarcity, permissions are for keeping systems intact and protecting private information on shared systems. I suppose you're going to call passwords DRM, too?
I'm not really in disagreement with the post as a whole, but the first paragraph really made me cringe.