iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Design, Not Patching, Key To Secure Software
Search:
[ insider_reports_insider ]

Design, Not Patching, Key To Secure Software



David Utter
Staff Writer
2008-07-30

SecurityProNews: Insider Reports Insider Reports RSS Feed


The current DNS cache poisoning variation requiring a fix on numerous nameservers around the globe could have been anticipated and stopped; one developer did that in 2000.

Design, Not Patching, Key To Secure Software
Design, Not Patching, Key To Secure Software

The chase is on, and security pros race after attackers in trying to get a critical DNS issue fixed. Although an advisory and patch became public in early July, getting that patch to every system that needs it may not be happening at a fast enough pace to stay ahead of criminals.

Already, two exploits for the DNS flaw appear in code on Metasploit, a testing tool that can be used for unfriendly purposes. The ability to exploit the flaw in a way that would redirect a major financial institution's visitors to a fake site promises disastrous consequences without a fix.

The need for a patch didn't need to exist. Security expert Bruce Schneier pointed out how a design that considered security would have helped against these possible exploits.

As he further noted, one developer did anticipate this issue, all the way back in 2000. Although those in the know will wink and nudge others about how everyone knew DNS was insecure, cryptographer Daniel J. Bernstein figured out source port randomization eight years ago and tucked it into djbdns, a DNS program he created.

"Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them," said Schneier.

"That's what a good design looks like. It's not just secure against known attacks; it's also secure against unknown attacks. We need more of this," he continued.

Security suffers when developers become more focused on the accomplishment of the task presented to software rather than its implications. Including security perspectives during the development process, as Bernstein demonstrated, isn't a panacea against all future attacks, but should work to stop more than an insecure application does.


About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds