What do you think about the full disclosure of vulnerabilities?
I'm quite neutral about this. On one hand, I think that it should be every customer's right to point out flaws in the products they buy and I really don't see why those who find bugs should be *obliged* to first report it to the vendor - i.e. why should they be forced to do a free Q&A with the vendor?
On the other hand, when we look at the quality of the advisories published these days, where most of the bugs reported are just some denial of services, I have the feeling that people are looking for cheap publicity. It's quite understandable that companies which are victims of those "audits" might feel a bit pissed off.
Naturally, from time to time we see a very interesting bug report, sometimes presenting a new class of bugs or a new method of exploitation. It's hard to overestimate the value of such reports for the security community, so if the author decided to release those information for free, I guess we all should only be grateful to the author.
What is your opinion about Microsoft Patch Tuesdays? Shouldn't there be more frequent patch releases?
I guess there should be, but I can also understand that releasing a patch is a complicated business process, because it requires lots of testing, etc. I also realize that even if we had patches released on a daily basis, that still would not be a sufficient solution, as attackers might still exploit some unknown vulnerability.
Thus, I think it's much more important that the OS itself provided various anti-exploitation technologies and also be designed to limit the damage of the potential successful exploitation (least privilege design, strict privilege separations, etc). And it's clear that Microsoft is going this way, although there's still room for improvement in this area.
What is the most interesting fact you've become aware of while researching for your recent papers?
It's hard to point to just one fact. Usually the most amazing thing is that something you though of before (e.g. some attack) actually does work after you implemented the proof-of-concept code. That's always very amazing for me.
What's your take on the open source vs. closed source security debate?
I don't like when people say that something is secure just because it's open source and inherently insecure, just because it's a commercial, closed source product.
Although it should be admitted that a lot of security technologies have been introduced in the open source systems for the first time, like e.g. ASLR which has been invented by PaX about 6 years ago.
What are your future plans? Any exciting new projects?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.