BlueHat @ Microsoft

March 10, 2006

Recently I attended a cool event at Microsoft called BlueHat, you may have heard about it.  Read about it more here.

Security Fix – Brian Krebs on Computer and Internet Security – (washingtonpost.com)

http://www.typepad.com/t/trackback/3939193

Okay so this article is discussing security flaws published by CERT, 812 for Windows & 2000+ for Unix/Linux.  First of all, you shouldn’t be lumping all *nix bugs together, I’d like to see the breakdown by individual OS and also see what percentage of those bugs are found in multiple systems (i.e. security bugs found in multiple flavors of Linux because of the shared code vs. bugs introduced only into that version’s code).  Working in security myself (mostly application security, for the ACE Team), I have to say that this is basically useless information.  Why?  Because security bugs are wide and varied, with different degrees of severity, exploitability and reproducibility (btw: is that a word?). 

For example, we log lots of low severity bugs, (we have basically 5 severity levels) but only require the high severity bugs to be fixed.  Why?  Because only those bugs can be exploited in someway.  Whats a low severity, non-exploitable bug you say?  One that doesn’t follow best practice, or goes against the doctrine of defense in depth.  More on that in another post.  My point being that security is not a cut and dried, black and white “812 flaws, 2000+ flaws” type of deal, each bug has its own merits and severity resulting in a variety of actions.