John Pescatore

A member of the Gartner Blog Network

John Pescatore header image 2
Fatalistic Friday: Even Though You Can See the Iceberg, You Still Have to Patch the Titanic Twelve Word Tuesday: Measuring Security Program Effectiveness

Wakeup and Smell the Patches – Then Call the Fuzz

October 27th, 2008 · No Comments

On Friday, Neil Macdonald and I pushed out a Gartner First Take on the importance of patching the latest Windows vulnerability. Over the weekend, more active exploits did come out – make sure you patch (and reboot) your home PCs, too. Microsoft put out a few additional areas of guidance that have some good detail if you are using ISA Server and other Microsoft parts: see here and here.  

Michael Howard of Microsoft was part of the team that give Gartner an advanced briefing on this issue last week, and he put out a nice analysis of how this one got through Microsoft’s Secure Development Lifecycle. His analysis is solid and shows how a security-centric approach to software development may not catch everything, but can mitigate the impact of vulnerabilities that do get through. 

Many of the critical software vulnerabilities being found in mature software products these days are like this one, or of the “malformed input” variety – basically, errors that require a very complex set of input conditions to trigger. That’s why quite often fuzzing tools are involved in their discovery. The problem is that the good guys can only run fuzzing tools for a finite period of processor cycles (MIPS * hours)  before the software ships, while after the software ships the bad guys have essentially unlimited cycles. 

Of course, that just means the good guys have to keep running the tools after the software ships but it also means the next big leap in software security will be how to apply the logical equivalent of variable typing to more complex inputs, like files, media streams, and more complex conditions like what triggers this latest flaw. I think this is a big deal, since the world is only getting more complex (think mashups.) It is back to the chess game analogy – we have to keep increasing our ability to look more moves ahead to keep forcing the opponent towards our strengths.

Joseph Feiman and Neil have a lot of research notes out on the tools and processes to support all this. Here’s a picture of the three of us on stage at the recent Gartner IT Security Summit in London.

Share:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • MySpace
  • NewsVine
  • Slashdot
  • StumbleUpon
  • Technorati

Tags: Uncategorized

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment