Jesper's Blog

Obligatory file photo:

Welcome to Jesper Johansson's blog. This is my home for pontification on the web. In case this is your first time here, I have been working on information security for about 20 years, and have been writing and speaking on the topic for about 10. I am also a Microsoft MVP in Windows Security.
My most recent book is the Windows Server 2008 Security Resource Kit . Because I am also a scuba instructor you may find some posts related to that topic as well. Just because it took me so long to get it, I also like to say that I have a Ph.D. in Management Information Systems from the University of Minnesota.

All Software Has Vulnerabilities

No matter how smug you are about it, and how much you claim that security is someone else's problem, software will have vulnerabilities. It is a fact of life because software is, by far, the most complex engineering task mankind has ever undertaken.

In that light, I found a quote by Alan Paller, of the SANS Institute, in the latest @Risk Consensus Security Vulnerability Alert quite revealing:

If you are ever asked which operating system is safer, the following 'non-aligned' rule may be of some help. Given a fixed level of programming skill, the number of vulnerabilities in software is directly proportional to the number of lines of code and inversely proportional to the length of time the software has been in wide use. Large numbers of critical vulnerabilities are being, and were bound to be, discovered in Apple's operating system because Steve Jobs may design better hardware, but his programmers are no better at writing secure code than programmers in other software organizations. Alan

Secure software is produced by software developers who have been adequately trained, who have great tools at their disposal, and who work in a supportive culture that makes it easier to do the right thing and harder to do the wrong thing.

Published Tue, Nov 20 2007 2:04 PM by jesper

Filed under: Security Pontification, Software Development

Comments

# HiltonT said on 21 November, 2007 03:31 AM

Hi Jesper,

Did Alan have a brain fart? When was the last time Steve Jobs actually designed a piece of Apple hardware? Ever since he saw the error of his ways and moved to the Intel platform and went to a usable base OS (ie, BSD), he's not designed a bit of hardware - pretty much any current Mac is pretty much any current PC.

Sure, Apple's OS was destined to be found as flawed as Microsoft's latest pathetic attempt at an OS, it is just that the Apple Zealots cannot accept this.

Software is software, coders are coders, and a buggy, poorly written app is a buggy, poorly written app no matter what platform it is. Look at anything Adobe releases, for instance...

Regards,

HiltonT

Search

This Blog

Home

Community

Syndication

News

The Windows Server 2008 Security Resource Kit is available!
. You can also order it as part of the whole Windows Server 2008 Resource Kit and save some money.
Or, if you need to know about Vista instead, there is:

If you need a more general approach to help you Protect Your Windows Network, there is a book for that too

There is now a mobile version of the blog.

All postings are copyright Jesper M. Johansson or Steve Riley, in the year they were made. These postings are provided "AS IS" with no warranties, and confer no rights. All postings are the sole opinions of Jesper M. Johansson or Steve Riley and do not reflect any official opinion of anyone else with whom the poster(s) are affiliated or has been affiliated in the past. Use of included code samples is permitted for non-commercial use, with no warranties of fitness express or implied. All use of any information or code snippets posted in this blog at the user's sole risk. The blog site would like to thank www.ownwebnow.com and www.exchangedefender.com for their support.

Powered by Community Server (Commercial Edition), by Telligent Systems