[OpenIndiana-discuss] Critical security issue notification

Alan Coopersmith alan.coopersmith at oracle.com
Fri Apr 11 15:33:51 UTC 2014


On 04/11/14 06:34 AM, Bob Friesenhahn wrote:
> It is true that most new bugs are added in new software however it is also the
> case that improved methods are leading to detecting many bugs in mature software
> which otherwise would never have been found.

I've lost count of how many of the X.Org security advisories I've helped write
were for code written in the late 80's or early 90's and not found until we ran
a modern static analyzer over it, or security researchers attacked it with a
fresh eye and the knowledge that unlike when this software was written the
threat model has changed in ways like "people who can make a network connection
to your box are not just the guys in the same University lab" or "the user
running the system may not be someone you can trust, or just fire/expel/court-
martial if they break root".

As OpenSSL proved, "many eyes make all bugs shallow" only applies when:
	a) many eyes are actually looking at the code, not just a few
	b) the brains behind those eyes understand complex topics such
		as deep crypto math, network protocols, etc.

-- 
	-Alan Coopersmith-              alan.coopersmith at oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc



More information about the OpenIndiana-discuss mailing list