David A. Wheeler's Blog

Wed, 31 Dec 2014

I hope we learn from the computer security problems of 2014

As 2014 draws to a close, I hope anyone involved with computers will resolve to learn from the legion of security problems of 2014.

We had way too many serious vulnerabilities in widely-used software revealed in 2014. In each case, there are lessons that people could learn from them. Please take a look at the lessons that can be learned from Heartbleed, Shellshock, the POODLE attack on SSLv3, and the Apple goto fail vulnerability. More generally, a lot of information is available on how develop secure software - even though most software developers still do not know how to develop secure software. Simiarly, there are a host of lessons that organizations could learn from Sony Pictures.

Will people actually learn anything? Georg Wilhelm Friedrich Hegel reportedly said that, “We learn from history that we do not learn from history”.

Yet I think there are reasons to hope. There are a lot of efforts to improve the security of Free/Libre/Open Source Software (FLOSS) that are important yet inadequately secure. The Linux Foundation (LF) Core Infrastructure Initiative (CII) was established to “fund open source projects that are in the critical path for core computing functions” to improve their security. most recent European Union (EU) budget includes €1 million for auditing free-software programs to identify and fix vulnerabilities. The US DHS HOST project is also working to improve security using open source software (OSS). The Google Application Security Patch Reward Program is also working to improve security. And to be fair, these problems were found by people who were examining the software or protocols so that the problems could be fixed - exactly what you want to happen. At an organizational level, I think Sony was unusually lax in its security posture. I am already seeing evidence that other organizations have suddenly become much more serious about security, now that they see what has been done to Sony Pictures. In short, they are finally starting to see that security problems are not theoretical; they are real.

Here’s hoping that 2015 will be known as the year where people took computer security more seriously, and as a result, software and our computer systems became much harder to attack. If that happens, that would make 2015 an awesome year.

path: /security | Current Weblog | permanent link to this entry