[kwlug-disc] Security arguments

Khalid Baheyeldin kb at 2bits.com
Tue Sep 22 11:31:45 EDT 2009


On Tue, Sep 22, 2009 at 11:10 AM, <john at netdirect.ca> wrote:

> You could choose to search the CERT database
> https://www.kb.cert.org/vuls/html/search but even that needs to be done
> carefully. The number of items and the severity of bugs need to be
> evaluated. Also be aware that not all vulnerabilities may be listed there.
>
> Apache is open source so it will have vulnerabilities found that have never
> been exploited. They were found by examining the code. With IIS, since there
> is no source code generally available, the bugs may be ones actualy
> exploited. Minor flaws found by MS staff may not be reported. I suspect that
> more of apache's flaws are listed in CERT and fewer of IIS flaws are.
>

This is an excellent point, and needs to be emphasized more.

I have seen FUD that does exactly that: goes to CERT and counts how many
advisories against software X (closed source) vs. software Y (open source),
and because the open source one is numerically more, then open source is by
implication inferior to closed source, because it is insecure.

This is wrong, and mere FUD. Many open source weaknesses are never
exploited, and are discovered by the many eyes that scour the source every
day.

Advisories != Actual Exploits

A similar case was Drupal had a lot of FUD agaisnt it for having too many
security advisories. The issue was there was no differentiation between core
and contrib. Contrib is basically the wild west, where anyone can create a
module, and the result is 4,800+ (across version). The quality varies, some
being very good, others being extremely bad.

So, starting with 2009, we have numbered the advisories for Core separately
from Contrib. The result: we have 8 advisories for 2009 for core, and 59
advisories for contrib. Under the old scheme, it would be 67 total, ooh
look, bad Drupal!

Again, an advisory does not mean an actually exploited vulnerability. It is
a potential attack vector that needs to be plugged.
-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20090922/36c1c4b5/attachment.html>


More information about the kwlug-disc_kwlug.org mailing list