Secure Coding mailing list archives
SC-L Digest, Vol 2, Issue 183
From: mark at markgraff.com (Mark Graff)
Date: Sat, 4 Nov 2006 14:48:19 -0800
Gary McGraw said:
Ed Felten and I found out early on (back in 1996) that you can use the press as a lever to get companies to do the right thing. We learned this when releasing the very first Java Security hole. We found out that Sun paid much more attention once USA Today picked up the story from comp.risks. Later, we could disclose the problems responsibly...
I told my part of this tale in "Secure Coding" (O'Reiily, 2003--with KRvw, of course). I was Sun's corporate-wide "Security Coordinator", responsible for fixing, or getting fixed, all security bugs or flaws in our products. I had analyzed, without source code, the Java jail approach and had identified what I thought was a potential problem. I reached out internally and had a series of meetings with the main designer, the main architect, and the person who was in charge of security for Java. I told them each that my experience and intuition indicated that there would be a serious security bug, "right there", and volunteered to round up a group of volunteer external experts (I was well plugged into FIRST at the time) to help analyze potential problems. All this was before any security bugs had been found in Java. And as busy as I was keeping up with bugs fixes, disclosures, and exploits inh UIX/Solaris, I was determined to act proactively and help perfect what I saw as a great step forward in security. The three Java experts gave me the cold shoulder. I persisted. They told me to go away, and expressed with force and conviction that there were not--could not be--any security bugs in Java. About 10 weeks later, I was at a national-security conference in Houston. While I was walking up to give my address on the Java Security Model--literally, while I was taking to the stage--an acquaintance there said, "Hard day for Sun security types, I guess" He then showed me the USA Today headline Gary referred to in his post. It turned out that Gary and Ed had independently discovered and (unsuccessfully) reported the self-same bug I had hypothesized about. It was fixed a few short weeks later. Hubris is not endemic to a single company, or individual. And the inability to see our own mistakes (sometimes, even when they are pointed out to us) is something I don't believe we software types can even claim as particular to our occupation. It is, as luminaries like Peter Neumann and James Reason have amply demonstrated, a failure common to that combination of orderly and creative thinking we call engineering. Similarly, for reasons Ken and I discuss in Chapter 1 of "Secure Coding", the corporate animal really will, all too often, turn the Reality Distortion Field on full-force rather than deal with a pre-headline problem. I often ask myself which set of dangerous behavior--corporate blindness, or preemptive disclosure--is more likely to trigger the first security-bug-caused death. I don't know. Can we turn the ship of software development before we hit that rock? I doubt it. One hopes. -mg-
Current thread:
- SC-L Digest, Vol 2, Issue 183 Mark Graff (Nov 04)