Geeks With Blogs
IT Digest - Ingenious Tejas's Digest Blog

More and more software vulnerabilities are found on a daily basis for Operating Systems to small applications. Millions and billions of dollars worth of productivity is sometimes lost becuase of all these software vulnerabilities. How does this vulnerability get into the software? They are there because of programming errors that went out in the packaged software. Reviewing this code is important from the security point of view. If secure coding methods are applied it helps the software maker in many ways, both financially and market wise.

Chris Wysopol who works at @Stake creates a timeline of software patching process:-


1. Vendor ships software with latent security flaw.

2. Vulnerability researcher or a customer discovers the flaw through directed

testing or by chance and reports it to the vendor.

3. A maintenance engineer at the vendor reproduces the flaw and tracks down

the place in the source code where the original programmer made a coding


4. The engineer fixes the problem in the source code, builds a patch, and runs a

regression testing suite to make sure the fix didn’t create additional coding


5. The vendor issues a patch and notifies customers.

6. Attackers develop exploits based on the flaw to compromise vulnerable

computers before patches are in place.

7. Customer downloads patch, potentially runs a test suite, and then deploys the

patch on each vulnerable computer.


As from the list it can be seen that there is a lot of time that goes by sometimes between when a flaw is found and the customer patching their system. Two important things that I can think of to avoid this situation are:-


1) User Awareness by means of training, education seminar etc both to the coder and to the users using systems

2) By putting more emphasis on secure coding. This can be done by training coders on secure coding and proper secure coding process. @Stake are selling  software that analyses your software and tells you where the flaws are.


Tejas Patel

Posted on Wednesday, May 26, 2004 11:34 AM Security , Technical | Back to top

Copyright © Tejas Patel | Powered by: