Security software vulnerabilities: A unique and growing threat

Subject: Security software vulnerabilities: A unique and growing threat
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Fri, 25 Jun 2004 10:19:56 -0400
Content-Type: multipart/alternative; boundary="=====================_345688625==.ALT"

re: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci990080,00.html

"We expect security software that guards our systems, applications and data to be better than other software: more stable, more reliable and certainly more secure. Recent vulnerability disclosures for well-known security products show that this software suffers from the same kinds of problems as the applications and operating systems that administrators constantly patch."

It is instructive that this is titled "unique" and "growing" and the quote begins with "We expect security software ... to be better ...".

The common level of software engineering applied to security software has not decreased recently (needed to support the "growing" in the title :-).

What this article appears to show is a problem more with the accuracy of the perception of users of technology, than with the technology itself. Without good objective reasons to believe this, users continue to assume that just because it is a security function, it is being built using an engineering process that is markedly different from that used to develop that rest of the system. Not true! This assumption is likely to result in over-estimating the risk mitigation being achieved; resulting in unsafe system use that could have been avoided with more realistic expectations.

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: Latest OpenView flaw part of widespread security bypass trend
Next by Date: Worm sleeps to avoid detection
Prev by thread: Worm sleeps to avoid detection
Next by thread: Latest OpenView flaw part of widespread security bypass trend

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov