In Greek mythology, Sisyphus was being punished in Hades by rolling a large
stone up a hill, only to have it roll back to the bottom when he neared the
top. I was thinking the other day how similar this is to how security
updates are handled. This applies to everybody doing security updates; a
constant process where as soon as it seems you're in the clear, something
new arrives that needs to be dealt with.
There will never be any source code which is free of bugs. It's estimated
that for every ten lines of source, there is one bug. I'm not sure if
there is an estimate regarding how many of those could be classified as
security issues, but I think it's safe to say there are plenty of them.
I've found that fixing the security bugs is a task a lot like Sisyphus',
no matter how many times you roll the patches up the hill, they just keeps
rolling back down.
The real future in keeping a computer secure does not lie in patching the
various issues, it lies in preventative technologies. I'm not suggesting that
nobody ever applies a security patch, just that the current immediate need for
them should be reduced. Even with preventative technologies, it's possible
that an evildoer could leverage multiple issues to compromise a machine.
There will also always be certain attacks that are going to be nearly
impossible to stop with a preventative technology (cross-site-scripting
attacks come to mind as one).
There are some interesting things happening in the Linux universe right now
that can help address a large number of security issues. SELinux,
Exec-Shield, gcc FORTIFY_SOURCE, and user specific /tmp are some of the
current big ones, but I'm sure there is more to come (and even more I don't
know of yet).
For the sake of keeping this entry short, I'm going to stop here, but there is
much much more to be covered regarding this topic.
