OpenBSD’s Theo de Raadt talks software security
In an exclusive interview with Computerworld's Rodney Gedda, the man behind an operating system that lays claim to only one remote exploit in the default install in seven years, reveals where we are headed – and how far we have to go – in the search for more secure software
What are some of the things that the software industry today is neglecting or ignoring in terms of security and why do we have some many security problems?
Almost all the security problems that happen in software, like probably 95 percent of them, are low-level programmer errors. What happens is people are misusing program functions; they think they know how to use them but they’re making very, very dumb errors and very small errors. These are things that we’ve been getting away with forever. The things that people learn from these things are copied by people reading code. These erroneous paradigms are being copied into newer pieces of code over, and over, and over. So now with the open source community and the close source community, we are faced with, let’s say billions of lines of source code, all written by people who have made the same paradigm errors and passed them on to the next program. That’s why we have security holes. An attacker is using the unintended side-effect of a bug, and since he understands them, he takes the unintended side-effects and twists them to give him privilege. He gets himself privilege because the machine behaves so regularly.
By Rodney Gedda at Computerworld.
[ Read more ]