Josh's Blog

I just finished reading this story:
Oracle exec hits out at 'patch' mentality

To sum it up, eh?

Oracle's Chief Security Officer Mary Ann Davidson has a number of fine quotes regarding the state of computer security. She is either very uninformed as to how things work, or spreading FUD. the article speaks of government regulation of software. I can only imagine this working in one of two ways.

The government will make it illegal to find flaws in software, which would do a great disservice to the users. Flaw finders would just move underground as there will always be a market for security flaws. I like to think many of the advances in security over the past few years have been the result of healthy public discussion and disclosure.

The other possibility would be to fine software companies who write buggy code. This would likely drive vendors out of business or to countries which lack such a crazy law. I doubt this would be the case as the company Mary Ann Davidson works for doesn't have the greatest track record. There are many software companies with great sums of money, great sums of money can help politicians make the right choice.


My other favorite part from the article is this quote

"What if civil engineers built bridges the way developers write code?" she asked. "What would happen is that you would get the blue bridge of death appearing on your highway in the morning."

I've heard analogies such as this more than once, it's a silly and uninformed comparison. Comparing two industries that have nothing in common is pointless. This is like saying "If the bread making industry was like the car industry, you could be inured while eating a sandwich".

We can make some sense out of this quote though. The quote is meant to make us think about regulation. There are certain levels of quality the government demands when a road or bridge is built. This is done for the safety of the people who use the roads and bridges. The cars however don't have strict safety regulations. There are certain minimums that must be met, but in general it is up to the car makers to incorporate much of the safety features.

Competition has created safer cars. In the US, the safety of cars is rated by a group called the National Highway Traffic Safety Administration. The NHTSA takes cars and crashes them into things, then assigns a number of "stars"; one being the worst, five being the best. If someone creates a car with a one star rating, nobody is going to buy is as it will be a death trap. When a car gets a five star rating, the manufacturer typically releases a number of commercials toting its safety, as they should since it's not the easiest thing to do.

My above ramblings seem to suggest that if the government wants the quality of software to increase, they should foster more competition in the software industry, not regulation.

I found this blog entry on zdnet yesterday Secure open source at least a year away.

Statements like this are very misleading and incorrect on countless levels. What it really boils down to is the Coverity chief scientist trying to make a case for their tool. In all seriousness, the flaw they found is a simple typo that only affected very new X.org versions. Of everything Red Hat ships, only Fedora Core 5 was affected and was fixed shortly after the issue went public due to the simplicity of the fix. Please keep in mind that I take security very seriously, but I also believe in accurate and truthful analysis of issues. Trying to make an issue sound far more spectacular than it is, is nearly as bad as claiming it isn't as severe as it should be.

I think the Coverity results should be view from the other side of the fence. A quote from the Coverity chief scientist:

I think we’re already making an impact. The fact we’ve found so many defects in a short amount of time proves this can be a valuable technique.

They found a large number of defects, this being the best security defect, and claim secure open source is a year away? At this point, I feel pretty good about the security of open source software.