Who Does The Reviews

By Larry Seltzer  |  Posted 2004-02-22 Print this article Print

?"> And its not just Microsoft that reviews Microsoft products. Howard told me that an extensive outside review of Windows XP SP2 is currently underway. Since a recompile with new compilers is an important part of SP2, the review will include examination of the compilers too.
No doubt, many people consider that Microsoft is either lazy or stupid when it comes to security, and we all wish they had gotten better at it faster. From the information provided by Howard, it sounds as if Microsoft is very serious about security and is capable of doing it right.

Yet, serious problems persist in Microsoft product, just as they persist in open-source products. The reason is less that nobody cares, but that its hard to write good software thats free of security problems. Admittedly I learned to program back in the Reagan administration, but nobody told me to look out for security holes then and I doubt many programmers cared until very recently. A good code review is no easy task, and besides, its not easy to focus on security needs at the same time youre trying to write a program that has some actual, useful goal. Nowadays, minding security is something that has to be done, but its still not taught in many schools. Worse, its something few people know how to do well.

Check out eWEEK.coms Linux & Open Source Center at linux.eweek.com for the latest open-source news, reviews and analysis. The one bug that has come out so far (as I write this) from the leaked source is a great example of how this all works. The bug was an integer overflow bug, potentially leading to execution of arbitrary code. The code that was leaked was dated about 3.5 years ago, when few, if any people were aware of integer overflows as a potential security problem. A good code review, by the standards of 3.5 years ago, could easily have missed this problem. Microsofts statement on the matter is that the problem was found and fixed in Internet Explorer 6, and it is completely plausible that a later review, with an awareness of integer overflows and their implications, found the problem. (Some would claim that Microsoft should issue a fix for the bug in IE 5.x, and still the companys official position has for some time been that all users should move to IE 6.) On the other hand, the "OpenSSL ASN.1 parser insecure memory deallocation" bug, which was very similar to the recent Windows vulnerability related to the same ASN.1 standard, got comparatively little publicity, even though pretty much every open-source operating system uses it. Every version of OpenSSL up to that point was vulnerable, which means it had slipped through for years. How could this have happened? Simple, because its hard to find these things.

Wouldnt it be great if the relationship of source code and security were as simple as some people make it. If you search the CERT Coordination Centers vulnerability database, especially when sorting by their severity metric, you see lots of platforms well-represented. Open source doesnt make code secure, nor does closing source make it insecure.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Be sure to check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, views and analysis.

More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel